From owner-freebsd-hackers Sun Nov 24 17:46:07 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA27408 for hackers-outgoing; Sun, 24 Nov 1996 17:46:07 -0800 (PST) Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA27395 for ; Sun, 24 Nov 1996 17:45:45 -0800 (PST) Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id TAA13851; Sun, 24 Nov 1996 19:44:29 -0600 From: Joe Greco Message-Id: <199611250144.TAA13851@brasil.moneng.mei.com> Subject: Re: Replacing sendmail (Re: non-root users binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2 To: peter@taronga.com (Peter da Silva) Date: Sun, 24 Nov 1996 19:44:29 -0600 (CST) Cc: hackers@freebsd.org In-Reply-To: <199611250041.SAA08169@bonkers.taronga.com> from "Peter da Silva" at Nov 24, 96 06:41:53 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > "Sendmail is the de-facto Unix standard mail delivery agent. Is is > > continually subjected to rigorous security scrutiny and frequently > > updated. > > Don't make me laugh. It has more security holes revealed per year than > every other setuid program in UNIX put together. That suggests that the statement above is true :-) Thank you for supporting Sendmail ;-) > > - expose a pile of security holes that the Qmail developer(s) never > > thought existed. > > Have you looked at qmail? The bits exposed to the outside world don't > even run as root. EVER. Point being? One does not need to run as root to expose a security hole. A security hole can be as simple as a buffer overrun condition that was overlooked by the author. And by definition, a security hole involves getting bits to run in ways that you did not intend (i.e. non-root bits running as root, etc). As a matter of fact, the last Sendmail security problem involved a bug that I suspect people would also have claimed "[the] bits [that are] exposed to the outside world don't even run as root." I do not trust any program where people make such broad, clearly naive statements about security. It usually means that they do not understand that security is merely deterrent, not prevention. I do not care HOW good someone thinks they are with code, there is ALWAYS an exploitable hole or bug of some sort buried in any program worth having. Security is constantly being prepared and testing for weaknesses. Sendmail lives up to that. Eric Allman always has a patch or fix for Sendmail security problems. Every time the burglars get more sophisticated, the locksmith counters appropriately. I have faith in that, and am not about to advise anyone to go with some fly by night solution. It might be more secure, but it might not be. The authors might be as responsive to breaches as Eric Allman is, but they might not be... don't know. I do know that Sendmail is probably one of the most scrutinized setuid programs in the world. That, no doubt, is a double edged sword. It means that ANY bug or hole is likely to be discovered eventually, no matter how obscure, and will be fixed quickly. That makes it a better program. However, that same fact means that it is also much more likely that someone will try to use it to break in :-/ > > - make FreeBSD the laughing stock of the unix community. > > The part of the UNIX community that doesn't care about security, anyway. Funny, I care very much about security. In any case, if you wish to submit patches against sysconfig to make sendmail/qmail a selectable option, the way gated/routed are done, I would be the first to support the addition of such an option. I just do not like the idea of flying against the wind and making a relatively unknown and immature product the default MTA. ... JG