Xref: utzoo comp.unix.questions:29804 comp.unix.ultrix:6682 comp.mail.sendmail:2928
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!uunet!unisoft!greywolf
From: greywolf@unisoft.UUCP (The Grey Wolf)
Newsgroups: comp.unix.questions,comp.unix.ultrix,comp.mail.sendmail
Subject: Re: How does sendmail get UUCP host names?
Keywords: uucp
Message-ID: <3449@unisoft.UUCP>
Date: 26 Mar 91 23:58:22 GMT
References: <1991Mar12.102259.1777@hollie.rdg.dec.com> <1991Mar12.130319.14972@mp.cs.niu.edu> <1991Mar12.143810.7383@hollie.rdg.dec.com> <1991Mar12.171523.30268@mp.cs.niu.edu>
Reply-To: greywolf@unisoft.UUCP (The Grey Wolf)
Organization: Foo Bar and Grill
Lines: 43

/* <1991Mar12.171523.30268@mp.cs.niu.edu> by rickert@mp.cs.niu.edu (Neil Rickert)
 * 
 * [I have added comp.mail.sendmail to the newsgroups, because of the importance
 * of this issue.  :nwr]
 * 
 *  For the time being, I will not spell it out.  The bug is not in 'sendmail',
 * but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to
 * read a file such as L.sys which contains confidential information.
 * DON'T DO IT.

Smart move.

 *
 * Making the freeze file mode 600, or running without a freeze file is at
 * best a partial solution.

I will now close my eyes so the room will be empty.

 *
 * It prevents the direct attack of 'strings sendmail.fc'.  But someone
 * familiar with the workings of sendmail CAN coerce it into taking a publicly
 * readable core dump which is likely to contain a copy of the confidential
 * information.  And it does not require root privileges to do this.
 *

Um, pardon, but it *does* require root permission to generate a core dump
from a setuid-root executable%.  Never mind that making /usr/lib/uucp/L.sys
part of the configuration via an F line is not a smart move.
This hole must be *really* obscure.  {flaming? send me mail.}


 * 
 * -- 
 * =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
 *   Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
 *   Northern Illinois Univ.
 *   DeKalb, IL 60115                                   +1-815-753-6940


% Under any *reasonable* kernel, this is true:  A core can only be generated
  if the invoking uid and the real uid are identical, and even then only if
  the executable has read permission.  This goes out the window if you're
  the super-user.