Date: Sat, 23 Nov 1996 15:33:46 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Warner Losh <imp@village.org> Cc: Mark Newton <newton@communica.com.au>, freebsd-hackers@freebsd.org Subject: Re: non-root users binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).) Message-ID: <Pine.BSF.3.95.961123150746.5433B-100000@alive.ampr.ab.ca> In-Reply-To: <E0vRPdB-0003Vq-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 23 Nov 1996, Warner Losh wrote: > In message <Pine.BSF.3.95.961122201253.28251D-100000@alive.ampr.ab.ca> Marc Slemko writes: > : This thread started in freebsd-security earlier in the week; it > : evolved from a discussion of the reasons why sendmail runs as root. > : The basic suggestion was to implement some system of allowing the > : specification of what non-root users could bind to what ports below > : 1024. I am moving it to -hackers since the response in -security > : has been limited and it possibly involves issues related to a common > : interface similar to sysctl. > > The other reason that sendmail needs to run as root is to fork of user > shells on mail delivery. Has there been any thought as to how to > solve that problem? It was ignored while this thread was going on in > -security, and should not be ignored. I tried to make this point, but > no body was listening to me there, or so it appeared. This is an > absolute requirement for a mail system based on sendmail. That's one of the reasons I am not sure about the usefulness for sendmail of letting non-root users bind to ports below 1024. One choice is to simply not let users run local delivery agents. Not an acceptable general solution, but perfectly acceptable local policy for _some_ systems. The other choice is to have some external (and small) delivery program that handles it; with the local delivery program running as root. For example, you could have a seperate program that is setuid root which handles the final delivery stage if a program needs to be run. You need to be very careful that nothing which is passed to it can make it do undesirable things because when the user sendmail is running as is compromised then the person can pass anything they want to the "program execution agent" to try to make it do bad things. The other issue, of course, is that there is no reason sendmail can't run as a daemon as root and simply have the child setuid to some other user after accepting a connection but before processing it; things like webservers do it and it seems to work quite well. > > While I think it is maybe useful to allow binding to port 1024 to > non-root programs, it is also potentially dangerous and should only be > entered into if you are sure that there are *NO* holes possible. I want to try to keep the very political and religious issue of running sendmail as a non-root user out of the discussion of non-root users binding to ports <1024 as much as possible because the sendmail issue isn't something that can be solved easily. I see little room for bugs in the kernel implementation of non-root users binding to ports <1024; there is lots of room for problems in the use of such a feature by programs, but that is really a different issue; probably more important, but different and far more involved.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961123150746.5433B-100000>