[127] in Release_7.7_team
Re: Sendmail vulnerability
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri Jul 15 20:35:14 1994
To: Matt Braun <mhbraun@MIT.EDU>
Cc: holes@MIT.EDU, release-77@MIT.EDU
Date: Fri, 15 Jul 94 20:34:57 EDT
From: Marc Horowitz <marc@MIT.EDU>
>> As I see it we have 3 choices:
There's a fourth choice. Put a setuid /usr/athena/lib/sendmail in the
release, based on sendmail 8.6.9. Use it for everything. Put the
vendor version in the release, non-setuid. Have mkserv mail or
whatever ask the user which sendmail to use, and have an rc.conf
variable to indicate which one should be used. This way, normal
machines are secure, admins who don't hack them mail conf are secure,
and people can choose to use a less-trusted sendmail if they really
want to.
Marc
