Bugtraq mailing list archives

ObNag: running sendmail as root

From: tgpt () pas rochester edu (Tom Guptill)
Date: Mon, 24 Mar 1997 16:27:18 -0500


Many people have said this before:  For those of us who choose to run
sendmail, the vast majority of vulnerabilities can be eliminated (or at
least made considerably less dangerous) if you DO NOT RUN SENDMAIL AS
ROOT!  Unless you have an extraordinarily busy mail server, running it
from inetd for incoming mail and leaving a copy running "-q15" for
delivery of queued messages works just fine, thank you.  I have done this
under Solaris and Linux, and I imagine that the switch is fairly
straightforward on almost any UNIX.

If you decide to make this change, you'll need to (at least) change the
ownership/permissions on the following:

sendmail executable (setuid/gid mail)
/var/mail (or /var/spool/mail) and contents
/var/spool/mqueue
/etc/mail/* (or wherever your sendmail.* and aliases* files are)

You'll need to make a few changes to sendmail.cf and inetd.conf, plus
check the ownership/permissions of ALL of your mail programs.  I was able
to eliminate the setuid/gid bits on /bin/*mail*, leaving only the setgid
mail bit on 'elm' because I haven't had a chance to go back and see if the
need for it can be eliminated at compile time.  Just make sure you get the
permissions right on the mail spool or you'll wind up with incorrect group
ownership of user's mail spools:  they should be owned by the user, group
"mail".

Also, you should probably carefully ensure that everyone's .forward file
is world-readable (and their home dir is world-executable unless your
sendmail provides for an alternate location for .forward files.).  You
might want to avoid doing this with a quickly-written script; remember, a
.forward file can be a link too.

If you choose to use tcpd or another wrapper for sendmail, I don't advise
using the strict reverse DNS settings, since *MANY* sites that distribute
a lot of mail fail this.

I strongly suggest "playing" on a machine that is not mission-critical and
then changing your more critical machines once you have a configuration
that you know works for you.

just my thoughts...

- Tom


--
Tom Guptill                         tgpt () pas rochester edu
UNIX SA                             104 B&L RC
Department of Physics and Astronomy, University of Rochester

Current thread:

more sendmail poop, (continued)
- - - more sendmail poop *Hobbit* (Mar 25)
    - Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
    - minor vulnerability in ELM Dmitry E. Kim (Mar 26)
    - FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
  - Cisco 2509/2511 Albert Siersema (Mar 24)
    - Re: Cisco 2509/2511 Dan Brown (Mar 24)
    - Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Stefan Laudat (Mar 24)
- Re: your mail Jamie Rishaw (Mar 24)
  - Re: your mail Illuminati Primus (Mar 24)
  - ObNag: running sendmail as root Tom Guptill (Mar 24)
- buffer over in hp-ux 10.20 kernel Darren Reed (Mar 23)
- Re: buffer over in hp-ux 10.20 kernel Security Alert (Mar 26)