[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: more reasons to move to Qmail



On Sat, 9 Aug 1997, Ira Abramov wrote:

> 
> 
> sendmail -C allows to send yourself any file from the system (i.e. the
> shadow password files etc)

Not necessarily. For some reason, my system (Slackware 2.0.29) is not
vulnerable.

> sendmail -C /etc/shadow
/etc/shadow: line 0: cannot open: Permission denied

And yes, my sendmail 8.8.6 runs setgid.

> ---------- Forwarded message ----------
> Date: Thu, 7 Aug 1997 12:15:39 -0700
> From: Eric Allman <eric@SENDMAIL.ORG>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: sendmail -C problem: explained
> 
> OK, after some searching, it turns out that there was a problem -- of
> sorts -- in sendmail prior to 8.8.7, on some architectures.  Basically,
> on kernels with group sets, where groupset[0] is not equivalent to
> getegid(), and if sendmail has the setgid bit set, this problem can
> occur.  In general, BSD-based systems do NOT have the problem, but
> System V-based systems DO.  Linux apparently uses System V semantics.
> 
> There are two solutions.  Either do not run sendmail setgid (there is
> absolutely no reason for it to need the setgid bit), or upgrade to
> 8.8.7, which does not have the problem even if it is setgid.
> 
> The Makefiles that come with sendmail mistakenly install sendmail
> setgid, for reasons lost in antiquity.
> 
> eric


Andy

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
*               Andrey Tsouladze                *                   *
*          Webmaster/Systems Manager            *                   *
*                SPL WorldGroup                 * Cogito,           *
*              3b Yoni Netaniyahu               *                   *
*           Or-Yehuda 60200, Israel             *       ergo        *
*    E-mail: andy@spl.co.il                     *                   *
*    E-mail: tsoul@aluf.technion.ac.il          *            sum    *
*    http://www.spl.co.il/~andy                 *                   *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Follow-Ups: References: