[37964] in bugtraq
Re: possible local exploit via sendmail with procmail on solaris
daemon@ATHENA.MIT.EDU (Jeff Damens)
Thu Dec 23 20:43:42 2004
Date: Wed, 22 Dec 2004 17:24:56 -0500 (EST)
Message-Id: <200412222224.iBMMOuXd021613@ebbets.poly.edu>
From: Jeff Damens <jdamens@ebbets.poly.edu>
To: mbarnes@compsci.wm.edu
Cc: bugtraq@securityfocus.com
In-reply-to: <20041221163003.G26699@star.compsci.wm.edu> (message from Michael
Barnes on Tue, 21 Dec 2004 16:30:03 -0500)
Mike,
Sendmail is *supposed* to run the local mailer setuid as the
recipient, so procmail should have run as you. I'm running sendmail
8.13.1 on solaris 7 & 8 and it does seem to setuid properly.
Is it possible that procmail itself is setuid root and is invoking the
shell which is sourcing your .cshrc? It would be interesting to see a
truss -f of sendmail doing a local delivery.
$h is the host as set from the 2nd part of the $# local mailer rule.
It probably isn't set in your sendmail rules for local users.
Regards,
Jeff
----------------------------------------------------------------
Jeff Damens Unix Systems Administrator
Polytechnic University jdamens@ebbets.poly.edu
6 Metrotech (718) 260-3492
Brooklyn, New York 11201
