Xref: utzoo comp.unix.questions:29372 comp.unix.ultrix:6516 Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!spool.mu.edu!uwm.edu!linac!mp.cs.niu.edu!rickert From: rickert@mp.cs.niu.edu (Neil Rickert) Newsgroups: comp.unix.questions,comp.unix.ultrix Subject: Re: How does sendmail get UUCP host names? Keywords: uucp Message-ID: <1991Mar12.130319.14972@mp.cs.niu.edu> Date: 12 Mar 91 13:03:19 GMT References: <1991Mar12.011642.17723@pslu1.psl.wisc.edu> <1991Mar12.035457.18829@mp.cs.niu.edu> <1991Mar12.102259.1777@hollie.rdg.dec.com> Organization: Northern Illinois University Lines: 28 In article <1991Mar12.102259.1777@hollie.rdg.dec.com> jch@hollie.rdg.dec.com (John Haxby) writes: > >In article <1991Mar12.035457.18829@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: >|> (A particulary undesirable approach uses >|> FU/usr/lib/uucp/L.sys >|> which has the wonderful effect of putting all passwords in L.sys into >|> the freeze file, and into an core dumps from sendmail). > >Except that sendmail makes sure the freeze file >is mode 600 ... we like to fix security holes. Mode 600 prevents someone running 'strings' on the freeze file. But it is pretty easy to coax 'sendmail' in to generating a core dump owned by the person who invokes 'sendmail', and all the same information should be there. This risk is also present if you don't use a freeze file. A much safer approach is to run 'uuname' into a file, and use that file in an F line in 'sendmail.cf'. The whole thing can be run from a makefile which redoes the 'uuname' if L.sys changes, then rebuilds the freeze file if the file containing 'uuname' output changes. (With a little care in preparing a suitable shell script, you can have the 'make' also kill and restart the sendmail daemon when the freeze file changes.) -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940