Newsgroups: comp.mail.sendmail Path: utzoo!utgpu!jarvis.csri.toronto.edu!neat.ai.toronto.edu!rayan From: rayan@ai.toronto.edu (Rayan Zachariassen) Subject: Re: Non-root sendmail? (general comments on recent topics) Message-ID: <88Nov13.134506est.6360@neat.ai.toronto.edu> Organization: Department of Computer Science, University of Toronto References: <756@hudson.acc.virginia.edu> <7902@bloom-beacon.MIT.EDU> Date: Sun, 13 Nov 88 17:04:58 EST Sendmail refuses to talk to itself in the (mistaken) belief that doing so is necessarily a symptom of an imminent infinite loop. It wants to be nice and save your behind. Sendmail needs root permissions so that: 1. it can read random user's .forward files 2. it can create [qdlx]f* files in a particular "secure" directory 3. it can execute "mailers" which require root permissions to do their work 4. it can read /dev/kmem to grab load averages, used to decide when to run Every one of these points can be compromised, but you won't end up with a normal sendmail. It is hard to make a mailer run non-root unless you use a different model of the environment (e.g. "protected ~/.forward files will be ignored", or use a completely different scheme with the same functionality). # why is it that when sendmail invokes a pipe to a program, if it can resolve # the sender of the mail message to a local user, it runs the program as that # user? Because it is cheap security in the normal case (Sendmail always has to route the sender address anyway, in order to verify From: and Sender: headers), and someone overlooked the interaction of this mechanism with SMTP. There have been two efforts going on to get rid of Sendmail, neither are yet widely/publically available (so don't ask unless you want to put some work in): Smail 3.x: This is sort of "Sendmail without the rulesets", or as one of the authors put it "A 100% solution for 90% of the sites, a 90% solution for 9% of the sites, a 9% solution for 1% of the sites, etc.". From what I've seen, this will be a a good product. Its configuration feels MMDF-like to someone who hasn't used MMDF (me); although apart from that it isn't like MMDF at all. ZMailer: This is my solution to the Sendmail problem, it is intended to be "A 100% solution for 100% of the sites". That doesn't imply complexity, on the contrary. At UofT, the version running on internal servers and the one running on a gateway differ only in their databases; the configuration file is identical. The configuration file has a different feel than anything else I know (superficially reminiscent of Upas I suppose), it is a /bin/sh-superset language. MMDF is an alternative to Sendmail if you have predictable address manipulation needs. SliME and Upas are other solutions to the mail problem, perhaps some sweet guy can be coaxed to comment on them? Also, quoting one of the Smail3.x authors, "The complexity of sendmail.cf is highly overrated"... it is. Sendmail has problems in its basic design that makes it unsuitable (i.e. it isn't flexible enough) for real situations. For a while though, it was the only game in town for our purposes. rayan Sendmail's old hat! ZMailer's where its at!