From owner-freebsd-security Tue Dec 10 14:10:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA06147 for security-outgoing; Tue, 10 Dec 1996 14:10:11 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA06137 for ; Tue, 10 Dec 1996 14:10:09 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id PAA26410; Tue, 10 Dec 1996 15:09:51 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id PAA23140; Tue, 10 Dec 1996 15:08:54 -0700 (MST) Date: Tue, 10 Dec 1996 15:08:54 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Guido van Rooij cc: bmk@pobox.com, security@freebsd.org Subject: Re: Running sendmail non-suid In-Reply-To: <199612102126.WAA17440@gvr.win.tue.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996, Guido van Rooij wrote: > > > > I don't believe that running sendmail from inetd will be a viable option - > > anticipated load is too high. What I will likely do is run it non-suid, > > but start it as root, and give up root privelege as soon as the port is > > bound. I'd rather not muck around in the kernel. > > I thought there is an option nowadays that does exactly this: > > O RunAsUser= Not really. From the RELEASE_NOTES: Add new RunAsUser option; this causes sendmail to do a setuid to that user early in processing to avoid potential security problems. However, this means that all .forward and :include: files must be readable by that user, and on systems that don't support the saved uid bit properly, all files to be written must be writable by that user and all programs will be executed by that user. It is also incompatible with the SafeFileEnvironment option. In other words, it may not actually add much to security. However, it should be useful on firewalls and other places where users don't have accounts and the aliases file is well constrained. It runs more as root than alternative solutions. grep the sources for RunAsUid to see where it actually does the switches.