Xref: utzoo comp.unix.questions:29375 comp.unix.ultrix:6522 comp.mail.sendmail:2836
Path: utzoo!news-server.csri.toronto.edu!rutgers!att!linac!mp.cs.niu.edu!rickert
From: rickert@mp.cs.niu.edu (Neil Rickert)
Newsgroups: comp.unix.questions,comp.unix.ultrix,comp.mail.sendmail
Subject: Re: How does sendmail get UUCP host names?
Keywords: uucp
Message-ID: <1991Mar12.171523.30268@mp.cs.niu.edu>
Date: 12 Mar 91 17:15:23 GMT
References: <1991Mar12.102259.1777@hollie.rdg.dec.com> <1991Mar12.130319.14972@mp.cs.niu.edu> <1991Mar12.143810.7383@hollie.rdg.dec.com>
Organization: Northern Illinois University
Lines: 37

In article <1991Mar12.143810.7383@hollie.rdg.dec.com> jch@hollie.rdg.dec.com (John Haxby) writes:
>
>In article <1991Mar12.130319.14972@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes:
>|>  Mode 600 prevents someone running 'strings' on the freeze file.  But it is
>|> pretty easy to coax 'sendmail' in to generating a core dump owned by the person
>|> who invokes 'sendmail', and all the same information should be there.  This
>|> risk is also present if you don't use a freeze file.
>
>How?  sendmail catches the quit signal and you can't send it
>your favourite core-dumping signal unless you are root.
>Unless you have a dead-cert bug that makes sendmail
>drop core every time ....

[I have added comp.mail.sendmail to the newsgroups, because of the importance
of this issue.  :nwr]

 Must I spell out the details of a security problem you may have inflicted
on your users?  That would only open up the problem further for everyone to
see and perhaps take advantage of.

 For the time being, I will not spell it out.  The bug is not in 'sendmail',
but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to
read a file such as L.sys which contains confidential information.
DON'T DO IT.

 Making the freeze file mode 600, or running without a freeze file is at best
a partial solution.  It prevents the direct attack of
'strings sendmail.fc'.  But someone familiar with the workings of sendmail
CAN coerce it into taking a publicly readable core dump which is likely
to contain a copy of the confidential information.  And it does not require
root privileges to do this.

-- 
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
  Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
  Northern Illinois Univ.
  DeKalb, IL 60115                                   +1-815-753-6940