From owner-freebsd-security Mon Dec 9 13:13:32 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id NAA00777 for security-outgoing; Mon, 9 Dec 1996 13:13:32 -0800 (PST) Received: from passer.osg.gov.bc.ca (0@passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA00762 for ; Mon, 9 Dec 1996 13:13:29 -0800 (PST) Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.4/8.6.10) with SMTP id NAA17991; Mon, 9 Dec 1996 13:11:56 -0800 (PST) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199612092111.NAA17991@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: 15005@localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: MH X-Sender: cschuber To: bmk@pobox.com cc: security@freebsd.org Subject: Re: Running sendmail non-suid In-reply-to: Your message of "Mon, 09 Dec 96 10:09:55 PST." <199612091809.KAA11729@itchy.atlas.com> Date: Mon, 09 Dec 96 13:11:56 -0800 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > I'm setting up an internet-connected mail hub, and I'd like to run > sendmail not suid root. I won't be needing any ~/.forward nonsense, > as this machine will have no users at all, and will only forward mail > based on /etc/aliases. There will be no local mailboxes on this machine > at all. > > My intention for running sendmail without suid set is so that I can > hopefully avoid some of the security problems that we've seen with > sendmail in the past. > > Ideally, what I'd like to do is have sendmail running as root only long > enough to bind to the smtp port, and then give up root, never to have > it back. Preferably, running as 'nobody' or some other 'safe' user. > > Has anyone actually done this? Any advice or gotchas to look out for? > Am I insane for wanting to do this? First you will need to create an smtp account. Next, chown /var/spool/mqueue, /var/mail, and /usr/sbin/sendmail to user smtp. Run a cronjob out of root's cron every 5 minutes to process the queue. Using this approach you'll manage to stop 95% of any attempts to use sendmail to gain access to root. There is still a possibility of gaining root with this setup if your smtp account is hacked. It would be a matter of creating a mail spool file to setup a setuid-root shell. The general consensus has usually been that this approach is less secure because it is easier to gain access to a user account than root. Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."