[4204] in bugtraq
ObNag: running sendmail as root
daemon@ATHENA.MIT.EDU (Tom Guptill)
Mon Mar 24 17:41:05 1997
Date: Mon, 24 Mar 1997 16:27:18 -0500
Reply-To: Tom Guptill <tgpt@pas.rochester.edu>
From: Tom Guptill <tgpt@PAS.ROCHESTER.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199703241414.JAA00477@dilbert.iagnet.net>
Many people have said this before: For those of us who choose to run
sendmail, the vast majority of vulnerabilities can be eliminated (or at
least made considerably less dangerous) if you DO NOT RUN SENDMAIL AS
ROOT! Unless you have an extraordinarily busy mail server, running it
from inetd for incoming mail and leaving a copy running "-q15" for
delivery of queued messages works just fine, thank you. I have done this
under Solaris and Linux, and I imagine that the switch is fairly
straightforward on almost any UNIX.
If you decide to make this change, you'll need to (at least) change the
ownership/permissions on the following:
sendmail executable (setuid/gid mail)
/var/mail (or /var/spool/mail) and contents
/var/spool/mqueue
/etc/mail/* (or wherever your sendmail.* and aliases* files are)
You'll need to make a few changes to sendmail.cf and inetd.conf, plus
check the ownership/permissions of ALL of your mail programs. I was able
to eliminate the setuid/gid bits on /bin/*mail*, leaving only the setgid
mail bit on 'elm' because I haven't had a chance to go back and see if the
need for it can be eliminated at compile time. Just make sure you get the
permissions right on the mail spool or you'll wind up with incorrect group
ownership of user's mail spools: they should be owned by the user, group
"mail".
Also, you should probably carefully ensure that everyone's .forward file
is world-readable (and their home dir is world-executable unless your
sendmail provides for an alternate location for .forward files.). You
might want to avoid doing this with a quickly-written script; remember, a
.forward file can be a link too.
If you choose to use tcpd or another wrapper for sendmail, I don't advise
using the strict reverse DNS settings, since *MANY* sites that distribute
a lot of mail fail this.
I strongly suggest "playing" on a machine that is not mission-critical and
then changing your more critical machines once you have a configuration
that you know works for you.
just my thoughts...
- Tom
--
Tom Guptill tgpt@pas.rochester.edu
UNIX SA 104 B&L RC
Department of Physics and Astronomy, University of Rochester
