Bugtraq mailing list archives

Re: Sendmail up to 8.9.1 - mail.local instroduces new class of

From: jstott () POLY PHYS CWRU EDU (Jonathan Stott)
Date: Mon, 10 Aug 1998 09:17:26 -0400


[description of DoS attacks via mail.local snipped]

Fix:

It's stupid to make any part of sendmail package setuid. It's really
possible to make sendmail work with no setuid nor setgid, by arranging
proper communication with sendmail daemon, if running. Also, I suggest to
be at least careful with new features of recent Sendmail version :-)


mail.local, while it is distributed with sendmail, is not part of sendmail.

From sendmail-8.9.0/README:

:mail.local      The source for the local delivery agent used for 4.4BSD.
:                THIS IS NOT PART OF SENDMAIL! and may not compile
:                everywhere, since it depends on some 4.4-isms.  Warning:
:                it does mailbox locking differently than other systems.

A better fix would be to use procmail, or /bin/mail, or some other
program for local mail delivery.

-JS

Current thread:

Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Jonathan Stott (Aug 10)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Chip Salzenberg (Aug 10)
- Yet another DOS/Exploit in ICQ?????? Arnvid L. Karstad (Aug 10)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Brett Lymn (Aug 10)
  - Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Kari E. Hurtta (Aug 12)
  - Re: Apache DoS Attack Dag-Erling Coidan Smørgrav (Aug 12)
  - Microsoft Security Bulletin (MS98-008) Aleph One (Aug 12)
  - Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Aug 12)
- Netscape Exploit? Mozilla? Crispin Cowan (Aug 11)
- FW: CERT Advisory CA-98.10 - mime_buffer_overflows Patrick Oonk (Aug 11)
  - Re: FW: CERT Advisory CA-98.10 - mime_buffer_overflows (VU#5648) John D. Hardin (Aug 11)

(Thread continues...)