Path: utzoo!utgpu!watmath!clyde!ima!minya!jc
From: jc@minya.UUCP (John Chambers)
Newsgroups: comp.mail.sendmail
Subject: Re: Non-root sendmail?
Message-ID: <132@minya.UUCP>
Date: 20 Nov 88 15:56:28 GMT
References: <164@heart-of-gold> <3031@haven.umd.edu> <13145@ncoast.UUCP>
Organization: (none)
Lines: 32

> Is it possible to run sendmail on a UUCP-only system without any setuid, but
> instead setgid mail like the System III/V mailer?  What kinds of changes
> would it take?  (Note that ncoast will most probably NEVER run any kind of
> networking, so there's no reason for us to keep a setuid-root mailer.)
> 
Actually, it's rather common to make uucp's critical programs (uucico, uuxqt,
rmail, uusched, uuetc.) both setuid-mail and setgid-mail.  If you do this,
then you "protect" innocent administrators (including yourself) from all 
the ways that these programs can inadvertently end up being run with uid=root.
This includes all the various things triggered by cron (which must run as
root), any of which may call mail which may call uucico and/or uuxqt...

I've seen the same problems with news, which keeps stumbling across files
owned by root (and thus unwritable by news), until I change rnews, expire,
etc. to be setuid-news and setgid-news.

In both cases, using both setuid and setgid makes certain that the programs
will always run with the restricted permissions and can't be tricked by
some hacker into running as you and sending out all your secret files to
some interested party.

Of course, there are rumored to be versions of Sys/V which "remembers" old
ids (specifically, root, when run from cron) and provide some way of getting
back the old id even though it differs from getuid() and geteuid().  Such
systems probably provide a way of getting to root even with setuid-mail.
(I hope I'm wrong.)

-- 
John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)

[Any errors in the above are due to failures in the logic of the keyboard,
not in the fingers that did the typing.]