Bugtraq mailing list archives
ObNag: running sendmail as root
From: tgpt () pas rochester edu (Tom Guptill)
Date: Mon, 24 Mar 1997 16:27:18 -0500
Many people have said this before: For those of us who choose to run sendmail, the vast majority of vulnerabilities can be eliminated (or at least made considerably less dangerous) if you DO NOT RUN SENDMAIL AS ROOT! Unless you have an extraordinarily busy mail server, running it from inetd for incoming mail and leaving a copy running "-q15" for delivery of queued messages works just fine, thank you. I have done this under Solaris and Linux, and I imagine that the switch is fairly straightforward on almost any UNIX. If you decide to make this change, you'll need to (at least) change the ownership/permissions on the following: sendmail executable (setuid/gid mail) /var/mail (or /var/spool/mail) and contents /var/spool/mqueue /etc/mail/* (or wherever your sendmail.* and aliases* files are) You'll need to make a few changes to sendmail.cf and inetd.conf, plus check the ownership/permissions of ALL of your mail programs. I was able to eliminate the setuid/gid bits on /bin/*mail*, leaving only the setgid mail bit on 'elm' because I haven't had a chance to go back and see if the need for it can be eliminated at compile time. Just make sure you get the permissions right on the mail spool or you'll wind up with incorrect group ownership of user's mail spools: they should be owned by the user, group "mail". Also, you should probably carefully ensure that everyone's .forward file is world-readable (and their home dir is world-executable unless your sendmail provides for an alternate location for .forward files.). You might want to avoid doing this with a quickly-written script; remember, a .forward file can be a link too. If you choose to use tcpd or another wrapper for sendmail, I don't advise using the strict reverse DNS settings, since *MANY* sites that distribute a lot of mail fail this. I strongly suggest "playing" on a machine that is not mission-critical and then changing your more critical machines once you have a configuration that you know works for you. just my thoughts... - Tom -- Tom Guptill tgpt () pas rochester edu UNIX SA 104 B&L RC Department of Physics and Astronomy, University of Rochester
Current thread:
- more sendmail poop, (continued)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
- Cisco 2509/2511 Albert Siersema (Mar 24)
- Re: Cisco 2509/2511 Dan Brown (Mar 24)
- Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Stefan Laudat (Mar 24)
- Re: your mail Jamie Rishaw (Mar 24)
- Re: your mail Illuminati Primus (Mar 24)
- ObNag: running sendmail as root Tom Guptill (Mar 24)
- buffer over in hp-ux 10.20 kernel Darren Reed (Mar 23)
- Re: buffer over in hp-ux 10.20 kernel Security Alert (Mar 26)