Date: Thu, 2 Jan 2003 20:21:28 -0800 From: Claus Assmann <freebsd+current@esmtp.org> To: freebsd-current@FreeBSD.ORG Subject: Re: 5.0-RC2 informal PR: 90 sec sendmail delay Message-ID: <20030102202128.A8458@zardoc.esmtp.org> In-Reply-To: <3E150B9F.3F29FB8E@mindspring.com>; from tlambert2@mindspring.com on Thu, Jan 02, 2003 at 08:03:43PM -0800 References: <rgptrg1uzx.trg@localhost.localdomain> <3E1352BC.4043921B@mindspring.com> <20030101145232.A391@zardoc.esmtp.org> <3E13D095.FC52B758@mindspring.com> <20030102104810.A27967@zardoc.esmtp.org> <3E14ACAC.2014C867@mindspring.com> <20030102193059.A30727@zardoc.esmtp.org> <3E150B9F.3F29FB8E@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 02, 2003, Terry Lambert wrote: > Claus Assmann wrote: > > On Thu, Jan 02, 2003, Terry Lambert wrote: > > > Claus Assmann wrote: > > > > What can you do with smmsp group access? > > > > > Send tons of SPAM. Execute code as mailuser to raise my priviledge > > > to root, and then execute code as root. > > > > > 8-). > > > > Show me a way to do the latter. If you can do that, then it's > > a bug that needs to be fixed. > If it's a bug that needs to be fixed, it's a bug in the host OS, > and not something that sendmail can address. So your claim is wrong. You can't use the mailuser account to raise your priviledges to root. > As I said before, I understand the PR problem of having a remote > exploit be a remote root exploit vs. a remote $MAILUSER exploit: Ok, let me say it once: this is B.S. This is not a P.R. problem, it is a real technical problem as I proved to you before. Since this discussion is off-topic for this list and you are not able to prove your point, I stop here. If you want to continue, I invite you to read the sendmail 9 design document and to tell me which of the parts that involve the security features of it are flawed. http://www.sendmail.org/~ca/email/sm-9-rfh.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030102202128.A8458>