[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: more reasons to move to Qmail
On Sat, 9 Aug 1997, Ira Abramov wrote:
>
>
> sendmail -C allows to send yourself any file from the system (i.e. the
> shadow password files etc)
Not necessarily. For some reason, my system (Slackware 2.0.29) is not
vulnerable.
> sendmail -C /etc/shadow
/etc/shadow: line 0: cannot open: Permission denied
And yes, my sendmail 8.8.6 runs setgid.
> ---------- Forwarded message ----------
> Date: Thu, 7 Aug 1997 12:15:39 -0700
> From: Eric Allman <eric@SENDMAIL.ORG>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: sendmail -C problem: explained
>
> OK, after some searching, it turns out that there was a problem -- of
> sorts -- in sendmail prior to 8.8.7, on some architectures. Basically,
> on kernels with group sets, where groupset[0] is not equivalent to
> getegid(), and if sendmail has the setgid bit set, this problem can
> occur. In general, BSD-based systems do NOT have the problem, but
> System V-based systems DO. Linux apparently uses System V semantics.
>
> There are two solutions. Either do not run sendmail setgid (there is
> absolutely no reason for it to need the setgid bit), or upgrade to
> 8.8.7, which does not have the problem even if it is setgid.
>
> The Makefiles that come with sendmail mistakenly install sendmail
> setgid, for reasons lost in antiquity.
>
> eric
Andy
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Andrey Tsouladze * *
* Webmaster/Systems Manager * *
* SPL WorldGroup * Cogito, *
* 3b Yoni Netaniyahu * *
* Or-Yehuda 60200, Israel * ergo *
* E-mail: andy@spl.co.il * *
* E-mail: tsoul@aluf.technion.ac.il * sum *
* http://www.spl.co.il/~andy * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Follow-Ups:
References: