[948] in linux-security and linux-alert archive
Re: [linux-security] sendmail security issues
daemon@ATHENA.MIT.EDU (Joseph S. D. Yao)
Wed Jul 24 06:37:38 1996
Date: Tue, 23 Jul 1996 11:55:51 -0400
From: "Joseph S. D. Yao" <jsdy@cais.cais.com>
To: linux-security@tarsier.cv.nrao.edu, pollard@msrcnavo.navy.mil
Jesse Pollard:
> rmt:
> >Wietse Venema:
> >>There is more to sendmail than just this:
> >>- access recipient's ~/.forward files and exploder :include: files
> >accessing recipient's ~/.forward files would also be best handled by
> >a separate delivery program that runs under the user's uid. ...
> ...
> Unfortunately this will waste a LOT of time:
Not necessarily. Once upon a time, I came upon this problem (when
installing a second-source TCP/IP and sendmail on a pure Bell Labs
System V VAX - that was an adventure in debugging second-source code!).
Rather than risk something insecure, I had sendmail fork and exec a
small "get_forwards" program just before it set its UID to be non-root.
The small program ran as root, but being small, it was more verifiable
than 'sendmail'. The protocol was simple: 'sendmail' sent a local
logname down the pipe, and the program returned the contents of the
".forward" file, or the same name if no ".forward" file was found (or
the logname didn't exist, etc.). I think - this is all from memory, as
the system having that code became unavailable to me and was later
trashed. In any case, the program couldn't be spoofed very easily (if
at all), since it could only be run by root and it only spoke to its
parent via pipe. It spent most of its time sleeping. There was only
one fork, at the beginning. The pipe reads and writes were fairly
cheap, and would be cheaper on the Berkelian memory pipes that I
believe most systems (s5 or bsd-based) use these days.
Most of you should be able to write a fairly secure version of same
from these specs; I've never really needed to do that since.
Joe Yao jsdy@cais.com - Joseph S. D. Yao