From owner-freebsd-stable Wed Sep 15 15:27:47 1999 Delivered-To: freebsd-stable@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 9EE1F14BC2 for ; Wed, 15 Sep 1999 15:27:42 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40337>; Thu, 16 Sep 1999 08:25:22 +1000 Date: Thu, 16 Sep 1999 08:27:31 +1000 From: Peter Jeremy Subject: Re: mail.local setuid In-reply-to: <37DF475C.1682F7A3@urc.ac.ru> To: anton@urc.ac.ru Cc: stable@FreeBSD.ORG Message-Id: <99Sep16.082522est.40337@border.alcanet.com.au> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Anton Voronin wrote: >does anyone have an idea why /usr/libexec/mail.local is made setuid? In order to do local mail delivery (at least in the BSD way), _something_ must be setuid root so it can change the ownership of the mail item from the originator to the recipient. By default, there are two setuid processes - sendmail and mail.local, one of which _is_ redundant. Traditionally, sendmail runs as root so that it can bind to port 25 and change uid to allow local mail delivery without a setuid local delivery agent. The problem with this approach is that sendmail is large, difficult to follow (and hence, audit), exposed and (at least in the past) has had more than its share of security problems. A newer approach is to run sendmail as a non-privileged user and/or in a sandbox, relying on separate, smaller, easily audited programs to manage the port binding and mail delivery. It is much easier to check for security holes in mail.local (which is essentially a single 1300 line C program) than sendmail (which is ~48000 lines of C spread over 34 source files). > It is now >impossible to control mailbox quotas because it is always run as root. Then this is a bug in mail.local. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message