Path: utzoo!attcan!uunet!lll-winken!ames!mailrus!tut.cis.ohio-state.edu!cs.utexas.edu!ut-emx!reeder From: reeder@ut-emx.UUCP (William P. Reeder) Newsgroups: comp.mail.sendmail Subject: Re: security? Summary: more info Keywords: forwarding, ProgMailer Message-ID: <10821@ut-emx.UUCP> Date: 28 Feb 89 21:04:38 GMT References: <10798@ut-emx.UUCP> Organization: University of Texas Computation Center Lines: 55 More info on my problem with sendmail 5.61: - I am running on an Encore Multimax, not a VAX. - We use the "queue only" mode (Odq) for load limiting reasons. The second point above seems to be the critical one. If sendmail is allowed to do delivery when called by the user's mail program, then the following happens: - the local recipient's name becomes the "controlling address", ctladdr, and the QGOODUID flag is set. - forwarding is done under the auspices of the controlling address. Specifically, forwarding to a program gets the program run under the uid and gid of the controlling address. This is good. If, however, sendmail is directed to only queue messages, then this is what happens: - when sendmail is invoked by the user's mail program it performs aliasing and forwarding on the various addresses and produces a queue file and a data file. If the recipient is local and has forwarded to a program, then the queue file (qf*) contains a line of the form "R|/path/prog". Sendmail exits. - during the next queue run, sendmail finds a recipient which is a program. Note that the information about whose .forward file requested the forwarding is lost. Since the recipient (a program) has no password file entry, the QGOODUID flag cannot be set and sendmail must run the program under the defualt uid and gid (DefUid and DefGid). BUT, back in readqf() sendmail had called setsender() with the S entry in the queue file. If the S entry specifies a local user, then DefUid is set to the uid of the sender, and DefGid is set to the gid of the sender. I believe this to be a security hole. As a system programmer, I am in several "interesting" groups. And there are several "interesting" files which are "interesting" group write-able or read-able. If I locally send mail (as opposed to sending mail from my workstation) to a local user, then I am compromising the security of my system. Unfortunately, our Encore behaves so badly under certain load conditions that we are extremely reluctant to run with "Odb". When I say badly, I don't just mean that things get slow, I mean that the machine may have to be powered off to restore functionality. My statement of our reluctance is perhaps the understatement of the (new) year. I would like your opinions. Is sendmail's running a program under the uid of the sender a bug? A security hole? Should I report it as a bug to Berkeley? Is anyone responsible from Berkeley reading this newsfroup? By the way, I believe that sendmail 5.54 works the same way in this regard. At the same time I installed 5.61, I switched from asynchronous delivery to queueing in an attempt to be a good citizen on our machine. William Reeder reeder@emx.utexas.edu, postmaster@emx.utexas.edu -- DISCLAIMER: I speak only for myself, and usually only to myself.