From owner-freebsd-security Mon Dec 9 14:30:08 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA06062 for security-outgoing; Mon, 9 Dec 1996 14:30:08 -0800 (PST) Received: from itchy.atlas.com ([206.29.170.215]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA06045 for ; Mon, 9 Dec 1996 14:30:04 -0800 (PST) Received: (from brantk@localhost) by itchy.atlas.com (8.8.0/8.8.0) id OAA13422; Mon, 9 Dec 1996 14:33:30 -0800 (PST) Message-Id: <199612092233.OAA13422@itchy.atlas.com> Subject: Re: Running sendmail non-suid To: cschuber@uumail.gov.bc.ca Date: Mon, 9 Dec 1996 14:33:29 -0800 (PST) Cc: bmk@pobox.com, security@freebsd.org Reply-To: bmk@pobox.com In-Reply-To: <199612092111.NAA17991@passer.osg.gov.bc.ca> from Cy Schubert - ITSD Open Systems Group at "Dec 9, 96 01:11:56 pm" From: "Brant Katkansky" Reply-To: bmk@pobox.com X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > I'm setting up an internet-connected mail hub, and I'd like to run > > sendmail not suid root. I won't be needing any ~/.forward nonsense, > > as this machine will have no users at all, and will only forward mail > > based on /etc/aliases. There will be no local mailboxes on this machine > > at all. > > > > My intention for running sendmail without suid set is so that I can > > hopefully avoid some of the security problems that we've seen with > > sendmail in the past. > > > > Ideally, what I'd like to do is have sendmail running as root only long > > enough to bind to the smtp port, and then give up root, never to have > > it back. Preferably, running as 'nobody' or some other 'safe' user. > > > > Has anyone actually done this? Any advice or gotchas to look out for? > > Am I insane for wanting to do this? > > First you will need to create an smtp account. > > Next, chown /var/spool/mqueue, /var/mail, and /usr/sbin/sendmail to user > smtp. ^^^^^^^^^ Not necessary, no local mailboxes. > > Run a cronjob out of root's cron every 5 minutes to process the queue. > > Using this approach you'll manage to stop 95% of any attempts to use > sendmail to gain access to root. There is still a possibility of gaining > root with this setup if your smtp account is hacked. It would be a matter > of creating a mail spool file to setup a setuid-root shell. The general ^^^^^^^^^^^ > consensus has usually been that this approach is less secure because it is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > easier to gain access to a user account than root. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I'm curious as to the reasoning behind this statement. I've heard it before but never a full explaination. This particular machine is being designed to be specifically a mail relay, and nothing more. The only network connections it will allow via arbitrary addresses is via the smtp port(*). I understand that it is still possible for an unathorized user to execute commands via buffer overrun exploits, but they won't be able to do it as root. That'd require additional work. Or am I missing something here? I do not profess to be a security expert, but this seems to be a sensible approach for a mail relay. (*) Remote access (telnet only) will be permitted only via a few select (and highly trusted) IP addresses. I realize that this makes the system somewhat vulnerable to IP-spoofing, but some concessions had to be made. -- Brant Katkansky (bmk@pobox.com, brantk@atlas.com) Software Engineer, ADC