[7641] in bugtraq
Re: Sendmail up to 8.9.1 - mail.local instroduces new class of
daemon@ATHENA.MIT.EDU (Kari E. Hurtta)
Wed Aug 12 18:33:43 1998
Date: Wed, 12 Aug 1998 11:50:22 +0300
Reply-To: "Kari E. Hurtta" <hurtta+zz2@OZONE.FMI.FI>
From: "Kari E. Hurtta" <hurtta+zz2@OZONE.FMI.FI>
X-To: blymn@BAEA.COM.AU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199808110149.LAA15646@mallee.awadi> from Brett Lymn at "Aug 11,
1998 11:19:51 am"
Brett Lymn:
> According to Jonathan Stott:
> >
> >A better fix would be to use procmail, or /bin/mail, or some other
> >program for local mail delivery.
> >
>
> A lot of people have been recommending putting procmail in to perform
> filtering of mail as an adjunct to sendmail. I did a quick grep for
> the notorious strc{at,py} commands in the procmail source and found
> quite a few. I have not analysed the code but people putting in
> filters now to prevent the recent problems with mime et al could be
> (I said _could_be_) leaving themselves open for a more subtle exploit
> later on via procmail overflows.
It is also possible to make sure that mail.local (or any other
mail delivery program) can be used only by sendmail:
Assuming that program was setuid root:
1) drop setuid bit
chmod u-s /usr/libexec/mail.local
2) add
define (`LOCAL_MAILER_FLAGS',LOCAL_MAILER_FLAGS`S')
to your *.mc file before
MAILER(local)
-line.
Alternatively add just
FEATURE(local_lmtp)
before MAILER(local)
-line ('S' flags is already defined by FEATURE(local_lmtp)
so it do not need to be added.)
That S flag causes that sendmail calls local mailer as root.
So mailer itself does not need to be setuid root.
Summary:
If you use
FEATURE(local_lmtp)
/usr/libexec/mail.local does not need to be setuid root.
/ Kari Hurtta
