On Wed, Apr 04, 2001 at 05:34:12AM +0200, Richard A Nelson wrote: || The change is based upon the reasons sendmail has for root: || * bind to port 25 (could be done via authbind) || * calls to LDA (procmail, etc) that aren't suid root - no alternative || * read user's .forward - no alternative || * write to /var/spool/mqueue (could be sgid mail) || || The basic idea is to have two binaries (likely the same binary in two || places - but thats not relevant): || * sm-mta (the part that needs root priviledges) || * sm-msp (the part that doesn't need root, but needs sgid mail) || And entails creating a new queue directory that'd be sgid mail If memory serves, the sendmail binary is rather large. If there are really going to be two copies of it that differ only in permissions, wouldn't it be a good idea to write two tiny wrappers, that do nothing but exec the real binary? Or even one wrapper only around a non-suid non-sgid binary? It has the added advantage that one could put some security and sanity checks in the wrapper at a later date. || sm-mta would not be in the search order, not suid, not be world || readable/executable... owned and executed by root via todays || /etc/init.d/sendmail. It'd bind to port 25 and handle passing of mail || onto LDAs. If it's non-suid and non-sgid, there's no need to remove the world execute permission. Just make it mode 0755 in the unix philosophy of openness. Also, you can't really tell if some mortal might still want to execute it, for instance with the -C flag. Just put it in /usr/sbin, and no ordinary users will be bothered by it. Ciao. Vincent.
Attachment:
pgpuYug84cJB3.pgp
Description: PGP signature