Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

From: Valdis . Kletnieks
Date: Mon Jan 18 2010 - 07:55:58 EST


On Thu, 14 Jan 2010 10:22:51 +0100, Pavel Machek said:
> > On Tue, 12 Jan 2010 08:59:27 +0100, Pavel Machek said:
> >
> > > Well, maybe, but mailer system where first user starts is as a daemon
> > > makes sense...
> >
> > Does it? How do you get port 25 open for listening if the first user isn't
> > root? Most *actual* schemes to "launch at first use" that require privs fo
r
> > something have used inetd or similar - that program exists for a
> > *reason*.
>
> Remember sendmail is setuid root... so it already has the permissions.

Actually, the sendmail setuid bit was removed quite some time ago:

8.12.0/8.12.0 2001/09/08
*NOTICE*: The default installation of sendmail does not use
set-user-ID root anymore. You need to create a new user and
a new group before installing sendmail (both called smmsp by
default). The installation process tries to install
/etc/mail/submit.cf and creates /var/spool/clientmqueue by
default. Please see sendmail/SECURITY for details.

Wow. 2001. And people *still* think it's setuid. ;)

(Interestingly enough, the capabilities bug came *later*:

8.12.1/8.12.1 2001/10/01
SECURITY: Check whether dropping group privileges actually succeeded
to avoid possible compromises of the mail system by
supplying bogus data. Add configuration options for
different set*gid() calls to reset saved gid. Problem
found by Michal Zalewski.

and was mostly an issue because the same problem existed in pre-8.12 sendmails
that were still setuid and hadn't upgraded yet...

Attachment: pgp00000.pgp
Description: PGP signature