Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!linac!mp.cs.niu.edu!rickert
From: rickert@mp.cs.niu.edu (Neil Rickert)
Newsgroups: comp.mail.sendmail
Subject: Re: Problems with sendmail-5.65c+IDA 1.4.4
Message-ID: <1991Jun30.233450.8343@mp.cs.niu.edu>
Date: 30 Jun 91 23:34:50 GMT
References: <1991Jun30.083151.16887@ircam.fr> <1991Jun30.192430.6193@agate.berkeley.edu> <36658@ucsd.Edu>
Organization: Northern Illinois University
Lines: 23

In article <36658@ucsd.Edu> brian@ucsd.Edu (Brian Kantor) writes:
>wisner@mica.Berkeley.EDU (Bill Wisner) writes:
>>>3.  newaliases is executable by *any* user, no matter what the permissions on
>>>    the aliases and aliases.{dir,pag} files are.
>>Why is this a problem?  If users can't edit the aliases file, they

>Actually, it allows a denial-of-service attack by a user on your
>machine, during which mail will not flow, and after which, your load
>average will skyrocket.  Not too serious as such things go, but it can
>be REAL annoying.

 You can remove the 'newaliases' command, or make it a shell script that
prints a message if invoked by anyone other than root.  This stops the
casual user who is thinking "I wonder what that command will do?"
Of course it doesn't stop the determined person who really wants to do
so from slowing down your mail processing - but only once :-).


-- 
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
  Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
  Northern Illinois Univ.
  DeKalb, IL 60115                                   +1-815-753-6940