Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!rutgers!mit-eddie!bu-cs!mirror!rayssd!raybed2!linus!heart-of-gold!jc From: jc@heart-of-gold (John M Chambers) Newsgroups: comp.mail.sendmail Subject: Non-root sendmail? Message-ID: <164@heart-of-gold> Date: 10 Nov 88 19:23:59 GMT Organization: Mitre Corp, Bedford, MA, USA Lines: 57 The infamous sendmail virus encourages me to, once again, ask what seems to me to be a straightforward question, and which will probably once again get me no end of flames telling me what an idiot I am, but I'm going to stick my ignorant neck out and ask it anyway: Is there a way to run sendmail under a non-root id? Maybe I should clarify. The obvious answer is "yes", since /etc/rc can always do something like su mail /usr/lib/sendmail -bd -q1h This is not a good enough answer, however, because, while I can indeed do this on our Suns, the resulting process dies rather soon, resulting in no sendmail daemon running at all. Why it dies, I don't understand. Well, I do partially understand. Sendmail obviously must access a bunch of files (sendmail.cf, aliases, etc.), not to mention some directories (/usr/spool/mqueue, etc.), and these obviously must be writable by the mail id. OK, give me credit for enough intelligence to know all that without being told, as well as how to change their ownerships over to mail. But that doesn't do the job. I'm also rather familiar with sendmail's main competitor, uucp. It seems to run quite well under a mail id, and doesn't need anything setuid to root. In fact, it's fairly conventional to make all the programs setuid to uucp, or even better, setgid to mail, with all the files and directories being owned by uucp/mail. Mailboxes then end up owned by the user, with group mail and 660 permissions, and all that, and it works just fine. It's real hard to do an attack like the sendmail virus on uucp. I mean, sure, you can fill up the /usr/spool partition. News does that routinely. You can even write chain letters, if you set up a few forwarding files correctly. But the kind of remote-execute-as-root capability that the virus was based on, well, it just doesn't work with uucp. When I configure sendmail's permissions like uucp, it doesn't work just fine. Does anyone know why not? Even better, does anyone have instructions for installing sendmail so that it doesn't require root permissions (i.e., turning off system security, which is what root is all about) to run? The recent virus has been something I've warned people about off and on for years. After all, seeing a daemon running as root that implements network file copies and remote executes should cause a red flag to pop up inside the skull of anyone who knows anything at all about security. But the supposed BSD experts just respond by insulting my intelligence for doubting the wisdom of sendmail's design. The people who built uucp understood this all 10 years ago. Why haven't the SNMP people heard about it yet? (Oh, yes, they all know about it, but they haven't publicised the problem and/or its solutions because they're afraid some hacker will take advantage of the knowledge. :-) -- From: John Chambers From ...!linus!!heart-of-gold!jc (John Chambers) Phone 617/217-7780 [Send flames; they keep it cool in this lab :-]