Date: Mon, 9 Dec 1996 14:33:29 -0800 (PST) From: "Brant Katkansky" <bmk@pobox.com> To: cschuber@uumail.gov.bc.ca Cc: bmk@pobox.com, security@freebsd.org Subject: Re: Running sendmail non-suid Message-ID: <199612092233.OAA13422@itchy.atlas.com> In-Reply-To: <199612092111.NAA17991@passer.osg.gov.bc.ca> from Cy Schubert - ITSD Open Systems Group at "Dec 9, 96 01:11:56 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'm setting up an internet-connected mail hub, and I'd like to run
> > sendmail not suid root. I won't be needing any ~/.forward nonsense,
> > as this machine will have no users at all, and will only forward mail
> > based on /etc/aliases. There will be no local mailboxes on this machine
> > at all.
> >
> > My intention for running sendmail without suid set is so that I can
> > hopefully avoid some of the security problems that we've seen with
> > sendmail in the past.
> >
> > Ideally, what I'd like to do is have sendmail running as root only long
> > enough to bind to the smtp port, and then give up root, never to have
> > it back. Preferably, running as 'nobody' or some other 'safe' user.
> >
> > Has anyone actually done this? Any advice or gotchas to look out for?
> > Am I insane for wanting to do this?
>
> First you will need to create an smtp account.
>
> Next, chown /var/spool/mqueue, /var/mail, and /usr/sbin/sendmail to user
> smtp. ^^^^^^^^^
Not necessary, no local mailboxes.
>
> Run a cronjob out of root's cron every 5 minutes to process the queue.
>
> Using this approach you'll manage to stop 95% of any attempts to use
> sendmail to gain access to root. There is still a possibility of gaining
> root with this setup if your smtp account is hacked. It would be a matter
> of creating a mail spool file to setup a setuid-root shell. The general
^^^^^^^^^^^
> consensus has usually been that this approach is less secure because it is
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> easier to gain access to a user account than root.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I'm curious as to the reasoning behind this statement. I've heard it
before but never a full explaination.
This particular machine is being designed to be specifically a mail relay,
and nothing more. The only network connections it will allow via arbitrary
addresses is via the smtp port(*). I understand that it is still possible
for an unathorized user to execute commands via buffer overrun exploits,
but they won't be able to do it as root. That'd require additional work.
Or am I missing something here? I do not profess to be a security expert, but
this seems to be a sensible approach for a mail relay.
(*) Remote access (telnet only) will be permitted only via a few select
(and highly trusted) IP addresses. I realize that this makes the
system somewhat vulnerable to IP-spoofing, but some concessions had to be
made.
-- Brant Katkansky (bmk@pobox.com, brantk@atlas.com)
Software Engineer, ADC
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612092233.OAA13422>