[7593] in bugtraq
Re: Sendmail up to 8.9.1 - mail.local instroduces new class of
daemon@ATHENA.MIT.EDU (Jonathan Stott)
Mon Aug 10 12:09:46 1998
Date: Mon, 10 Aug 1998 09:17:26 -0400
Reply-To: Jonathan Stott <jstott@POLY.PHYS.CWRU.EDU>
From: Jonathan Stott <jstott@POLY.PHYS.CWRU.EDU>
To: BUGTRAQ@NETSPACE.ORG
[description of DoS attacks via mail.local snipped]
> Fix:
>
> It's stupid to make any part of sendmail package setuid. It's really
> possible to make sendmail work with no setuid nor setgid, by arranging
> proper communication with sendmail daemon, if running. Also, I suggest to
> be at least careful with new features of recent Sendmail version :-)
mail.local, while it is distributed with sendmail, is not part of sendmail.
From sendmail-8.9.0/README:
:mail.local The source for the local delivery agent used for 4.4BSD.
: THIS IS NOT PART OF SENDMAIL! and may not compile
: everywhere, since it depends on some 4.4-isms. Warning:
: it does mailbox locking differently than other systems.
A better fix would be to use procmail, or /bin/mail, or some other
program for local mail delivery.
-JS
