[940] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sendmail security issues

daemon@ATHENA.MIT.EDU (Jesse Pollard)
Sun Jul 21 15:23:26 1996

Date: Fri, 19 Jul 1996 09:24:32 -0500
From: Jesse Pollard <pollard@msrcnavo.navy.mil>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Mail from 'rdm@tad.micro.umn.edu'
      dated: 17 Jul 1996 14:17:36 -0000

rmt:	
>[Mod: Quoting trimmed.  --Jeff.]
>Wietse Venema:
>>There is more to sendmail than just this:
>>- access recipient's ~/.forward files and exploder :include: files
>
>accessing recipient's ~/.forward files would also be best handled by
>a separate delivery program that runs under the user's uid.  :include:
>file handling is purely an abstraction and should be run under the
>proper uid for whatever file it's included from.
>
>Wietse Venema continues:
>>This is actually a recursive process.
>>- execute shell commands (either in .forward, aliases or other).
>
>If this ever crosses uid boundaries, it should be treated as just another
>mail message and go through all the standard mechanisms for handling mail
>messages.

Unfortunately this will waste a LOT of time:

    sendmail -> 0.delivery (gets 4 forwarding addresses)
		-> 1.sendmail to new address
		-> 2.sendmail to second addr
		-> 3.sendmail to third
		-> 4.sendmail to fourth.
Then each sendmail must lookup a new .forward:
	1.sendmail ->1.delivery (gets 2 forwarding addresses)
		-> 1.1.sendmail to address
		-> 1.2.sendmail

And each of these sendmail processes must do a delivery. Guess what happens if
one of these forwarded addresses includes an address of the first delivery
(0.delivery). Infinite recursion.

Sendmail avoids this by loading the forwarding addresses, then eliminating
duplicates. At least this is when only one system is involved, two or more
then the infinite recursion does happen. It is limited by the hop count so that
total chaos is controlled. It can STILL happen when the delivery agent is
a mail filter (such as vacation) that sends out a "I'm not here - try later"
message to a user that just set vacation... (at least one message will be
passed between them forever.. Each vacation message is a new message as far
as can be determined by sendmail). 

The approach outlined is also a major performance hog. Sendmail is an
intelligent (well... relatively) delivery and does analysis to reduce system
overhead and avoid delivering the same message multiple times.

Jesse Pollard
pollard@msrcnavo.navy.mil

home help back first fref pref prev next nref lref last post