[7607] in bugtraq
Re: Sendmail up to 8.9.1 - mail.local instroduces new class of
daemon@ATHENA.MIT.EDU (Scott Stone)
Tue Aug 11 16:08:55 1998
Date: Tue, 11 Aug 1998 09:35:12 +0900
Reply-To: Scott Stone <sstone@UME.PHT.CO.JP>
From: Scott Stone <sstone@UME.PHT.CO.JP>
X-To: Jeremiah Rothschild <jeremiah@GRAVITON.RTINET.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.95.980810092458.1525D-100000@graviton.rtinet.net>
On Mon, 10 Aug 1998, Jeremiah Rothschild wrote:
> I run sendmail suid/sgid mail.. Therefore, if hacked, the worst situation
> would be losing mail spools. Doing this has been nicely documented..
>
> Anyone interested should check out www.virtual.net.au/~rjc/sendmail.html
On a related note, sendmail 8.9.0 has its mail.local setuid by default as
well.
>
> # ip
>
> On Thu, 9 Jul 1998, Michal Zalewski wrote:
>
> > It's stupid to make any part of sendmail package setuid. It's really
> > possible to make sendmail work with no setuid nor setgid, by arranging
> > proper communication with sendmail daemon, if running. Also, I suggest to
> > be at least careful with new features of recent Sendmail version :-)
>
--------------------------------------------------
Scott M. Stone <sstone@pht.com, sstone@turbolinux.com>
<sstone@pht.co.jp>
Head of TurboLinux Development/Systems Administrator
Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan)
http://www.pht.com http://armadillo.pht.co.jp
http://www.pht.co.jp http://www.turbolinux.com
