First, my thanks to:
Stephen Schaefer - Medaphis Consultant <sps@gateway.bsis.com>
"Todd C. Miller" <Todd.Miller@cs.colorado.edu>
cygan@wpm.com (Linda Cygan)
Ian MacPhedran <macphed@dvinci.usask.ca>
"Christopher L. Barnard" <cbarnard@cs.uchicago.edu>
Bryan Curnutt <curnutt@Stoner.COM>
"C.R. Ritson" <C.R.Ritson@newcastle.ac.uk>
Casper Dik <casper@fwi.uva.nl>
Glenn.Satchell@uniq.com.au (Glenn Satchell - Uniq Professional Services)
kannan@catarina.usc.edu
------------------------------------------------------------------------
Second, the original question:
From: Lenny Turetsky <lturetsk@econ.yale.edu>
To: Sun Managers <sun-managers@ra.mcs.anl.gov>
Subject: running sendmail setgid() instead of setuid()
Message-Id: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
I'd like to have sendmail run as a setgid(mail) program, rather than a
setuid(root) program for the obvious security benefits.
Do I have to make any changes other than:
chgrp /usr/lib/sendmail /var/spool/m{queue,ail}
chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail}
and restart sendmail?
It can't be *that* simple, can it?
LT
------------------------------------------------------------------------
Third, the conclusion:
Well, it ain't that simple. I should have mentioned that I'm on SunOS
4.x, b/c SysV (Solaris) seems to do this by default.
First of all, sendmail needs to be root in order to access port 25
(the official SMTP port). This can be worked around by having sendmail
run from w/in inetd (and having sendmail in a crontab to empty its
queue every so often).
Next, there's the problem of sendmail needing to su to a user when
delivering mail to a pipe in his ~/.forward -- this can probably be
gotten around by making programs likely to get pipe (e.g., procmail,
filter, etc.) setgid(mail) as well.
Thirdly, when creating files, sendmail must be able to chown them to
users. This is the Big Problem(tm), b/c BSD only lets root chown
files, and for Good Reason(tm). I'm actually a bit unclear on this,
b/c I though that files would be created by the local mailer (usually
/bin/mail), and if that's setuid(root) then it doesn't matter what
sendmail's mode is. Am I wrong in my understanding of mail delivery?
One person's e-mail seemed to say that the local mailer is the thing
that does the actual delivery, but it keeps setting the file to user's
real group rather than the mail group. I'm not sure why this matters
if the local mailer is the thing that does the deliveries, but her
results suggested that it does.
Basically, what it all comes down to is that trying to make sendmail
run as setgid(mail) rather than setuid(root) is probably more trouble
than it's worth, and will break too much stuff (e.g., ~/.forwards with
pipes).
One person chastised me suggesting that if it were do-able, everyone
would be doing it. I'd just like to point out that according to that
line of reasoning, no-one would ever innovate, b/c they would think
that if the innovation were do-able, someone else would have already
done it. Don't get complacent -- innovate!
------------------------------------------------------------------------
Finally, the actual responses:
From: Stephen Schaefer - Medaphis Consultant <sps@gateway.bsis.com>
Received: by boca.gateway.bsis.com (5.x/SMI-SVR4)
id AA00509; Tue, 28 Feb 1995 16:39:24 -0500
Date: Tue, 28 Feb 1995 16:39:24 -0500
Message-Id: <9502282139.AA00509@boca.gateway.bsis.com>
To: lturetsk@econ.yale.edu
In-Reply-To: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu> (message from Lenny Turetsky on Tue, 28 Feb 1995 12:54:33 -0500 (EST))
Subject: Re: running sendmail setgid() instead of setuid()
Status: RO
X-Status:
You need root privilege to acquire port 25, so you'll need to muck
with the source code to change privilege after that port is opened.
You'll somehow have to convince all the user mail reading programs to
leave the mail spool mailboxes writable by your mail group. Other
things will occur to me later, but you've got a long, strange trip
ahead of you. Good luck,
- Stephen
To: Lenny Turetsky <lturetsk@econ.yale.edu>
Reply-To: Todd.Miller@cs.colorado.edu
Subject: Re: running sendmail setgid() instead of setuid()
In-Reply-To: Your message of "Tue, 28 Feb 1995 12:54:33 EST."
<Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
References: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
Date: Tue, 28 Feb 1995 14:38:12 -0700
From: "Todd C. Miller" <Todd.Miller@cs.colorado.edu>
Status: RO
X-Status:
In message <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
so spake Lenny Turetsky (lturetsk):
Last time I check sendmail needed to be able to chown files to
users. If it is not setuid root it is unable to do that. On
sysV unices where chown is not restricted you can run sendmail
setgid only (but an unrestricted chown is a can of worms in and
of itself).
- todd
Date: Tue, 28 Feb 1995 14:48:25 +0600
From: cygan@wpm.com (Linda Cygan)
Message-Id: <9502282048.AA04540@gypsy.wpm.com>
To: lturetsk@econ.yale.edu
Subject: Re: running sendmail setgid() instead of setuid()
X-Sun-Charset: US-ASCII
Content-Length: 486
Status: RO
X-Status:
I have never been able to get this to work correctly. No
matter what you change the mail or mailx command to, it
will still change the group of the file it modifies to
the group of the owner of that file, not the group of
the command. Please be sure to do a Summary. I am very
interested. I got it to work for mailtool, and uucp
mail, but internal mail that uses the mail command constantly
comes along and changes the group on users mail file and
then uucp and mailtool choke.
Date: Tue, 28 Feb 1995 16:57:21 -0600 (CST)
From: Ian MacPhedran <macphed@dvinci.usask.ca>
Subject: Re: running sendmail setgid() instead of setuid()
To: Lenny Turetsky <lturetsk@econ.yale.edu>
In-Reply-To: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
Message-Id: <Pine.3.88.9502281654.S9498-0100000@dvinci>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:
On Tue, 28 Feb 1995, Lenny Turetsky wrote:
> I'd like to have sendmail run as a setgid(mail) program, rather than a
> setuid(root) program for the obvious security benefits.
> Do I have to make any changes other than:
> chgrp /usr/lib/sendmail /var/spool/m{queue,ail}
> chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail}
> and restart sendmail?
> It can't be *that* simple, can it?
Well, no.
1) Sendmail must run as root to enable several features, not the least
of which is to bind to a privileged port (smtp, port number 25).
2) Sendmail does not actually write the mail into /usr/spool/mail. Local
delivery is done by /bin/mail (which is also a suid(root) program).
I would suggest that you instead look at getting the current security
patches for sendmail (and binmail). These can be obtained from your
vendor, or via anonymous ftp from:
ftp.uu.net:/systems/sun/sun-dist
sendmail patches:
OS version Patch ID Patch File Name
---------- --------- ---------------
4.1.3 100377-19 100377-19.tar.Z
4.1.3_U1 101665-04 101665-04.tar.Z
5.3 101739-07 101739-07.tar.Z
5.4 102066-04 102066-04.tar.Z
5.4_x86 102064-04 102064-04.tar.Z
binmail patches:
SunOS Patch MD5 Checksum
------ ----- ------------
4.1.3 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d
4.1.3UI 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1
> LT
Ian.
----------------------------------------------------------------------------
Ian MacPhedran, Engineering Computer Centre, 2B13 Engineering Building,
University of Saskatchewan, 57 Campus Drive, Saskatoon SK S7N 5A9, CANADA
Phone: (306)966-4832 Fax: (306)966-8710 Email: Ian_MacPhedran@engr.USask.CA
To: Lenny Turetsky <lturetsk@econ.yale.edu>
Subject: Re: running sendmail setgid() instead of setuid()
In-Reply-To: Your message of "Tue, 28 Feb 1995 12:54:33 EST."
<Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu>
Date: Tue, 28 Feb 1995 20:46:11 -0600
From: "Christopher L. Barnard" <cbarnard@cs.uchicago.edu>
Status: RO
X-Status:
> I'd like to have sendmail run as a setgid(mail) program, rather than a
> setuid(root) program for the obvious security benefits.
> Do I have to make any changes other than:
> chgrp /usr/lib/sendmail /var/spool/m{queue,ail}
> chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail}
> and restart sendmail?
> It can't be *that* simple, can it?
Unfortunately you're right. It isn't that simple. You need a way to
have the mailboxes still be owned by the user, not the mail delivery
agent. Root is the only one who can chown the mailbox after appending
data to it. If you *do* come up with a way to do it, I'm sure Eric
Allman would love to hear it, though! ;^)
+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@cs.uchicago.edu / \ anybody could become president. |
| (312) 702-8850 O---O Now I'm beginning to believe it. |
| http://cs-www.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
From: Bryan Curnutt <curnutt@Stoner.COM>
Message-Id: <199503010501.XAA21758@crusher.Stoner.COM>
Subject: Re: running sendmail setgid() instead of setuid()
To: lturetsk@econ.yale.edu
Date: Tue, 28 Feb 1995 23:01:16 -0600 (CST)
In-Reply-To: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu> from "Lenny Turetsky" at Feb 28, 95 12:54:33 pm
X-Mailer: ELM [version 2.4 PL23]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 763
Status: RO
X-Status:
Lenny Turetsky wrote:
> I'd like to have sendmail run as a setgid(mail) program, rather than a
> setuid(root) program for the obvious security benefits.
> Do I have to make any changes other than:
> chgrp /usr/lib/sendmail /var/spool/m{queue,ail}
> chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail}
> and restart sendmail?
> It can't be *that* simple, can it?
Well, at a minimum you also have to make sure that everyone's .forward
files are readable by group "mail", and that everyone's spool file is
writable by group "mail".
-- Bryan Curnutt Stoner Associates, Inc. bryan.curnutt@stoner.com 5177 Richmond Ave., Suite 900 +1 713 626 9568 voice +1 713 622 7832 fax Houston TX 77056From: "C.R. Ritson" <C.R.Ritson@newcastle.ac.uk> Message-Id: <AA05293.199503010952.ttyp5@newton.ncl.ac.uk> Subject: Re: running sendmail setgid() instead of setuid() To: lturetsk@econ.yale.edu Date: Wed, 1 Mar 1995 09:52:43 +0000 (GMT) In-Reply-To: <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu> from "Lenny Turetsky" at Feb 28, 95 12:54:33 pm X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1649 Status: RO X-Status:
Lenny Turetsky says:
> I'd like to have sendmail run as a setgid(mail) program, rather than a > setuid(root) program for the obvious security benefits.
> Do I have to make any changes other than: > chgrp /usr/lib/sendmail /var/spool/m{queue,ail} > chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail} > and restart sendmail?
Sendmail will not be able to open the privileged port 25 to become a daemon that way. One option might be to run it from inetd using its -bs option. There will be a performance hit, as it will need to initialize every time a message arrives.
In /etc/inetd.conf, you need to enable a listener:-
smtp stream tcp nowait mail /usr/lib/sendmail sendmail -bs
You will also need to run periodic queue runs from crontab (again as user/group mail). You need to run:-
/usr/lib/sendmail -q
You will also find that local mail DELIVERY may need to be tweaked, to allow delivery to user's mailboxes. Maybe it also needs to be made setgid mail.
You will however end up with other security risks, I guess, as sendmail will then no longer be able to relinquish its setuid privileges (which it does very readily), so there will be things that users can now do that they should not be able to do. You would need to look at the code to find where.
I haven't tried this at all, but I hope that these guesses are interesting. Please post a summary.
Chris Ritson. -- EMAIL: C.R.Ritson@newcastle.ac.uk POST: Chris Ritson, PHONE: +44 191 222 8175 Department of Computing Science, FAX : +44 191 222 8232 University of Newcastle upon Tyne, ROOM : 618 Claremont Tower (The Mill) United Kingdom NE1 7RU.
To: Lenny Turetsky <lturetsk@econ.yale.edu> X-Orig-Cc: Sun Managers <sun-managers@ra.mcs.anl.gov> Subject: Re: running sendmail setgid() instead of setuid() In-Reply-To: Your message of "Tue, 28 Feb 1995 12:54:33 EST." <Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu> Date: Wed, 01 Mar 1995 11:26:14 +0100 From: Casper Dik <casper@fwi.uva.nl> Status: RO X-Status:
>I'd like to have sendmail run as a setgid(mail) program, rather than a >setuid(root) program for the obvious security benefits.
>Do I have to make any changes other than: > chgrp /usr/lib/sendmail /var/spool/m{queue,ail} > chmod -R 2755 /usr/lib/sendmail /var/spool/m{queue,ail} >and restart sendmail?
>It can't be *that* simple, can it?
No. Sendmail expects to run as root for a variety of reasons, an important one being the ability to execute programs in .forwards.
One possible fix would be to replace sendmail with a wrapper that delivers mail through SMTP instead of directly (in which case sendmail no longer needs to run as root)
Casper
Date: Wed, 1 Mar 1995 19:25:45 --1000 From: Glenn.Satchell@uniq.com.au (Glenn Satchell - Uniq Professional Services) Message-Id: <9503010825.AA26149@upstage.uniq.com.au> To: lturetsk@econ.yale.edu Subject: Re: running sendmail setgid() instead of setuid() X-Sun-Charset: US-ASCII Content-Length: 0 Status: RO X-Status:
If it was that simple then people would do it, right? It's not that simple and many other things break. If you're worried about security then you shouldn't even run sendmail at all :-)
A pretty secure way to do it is to run it in a chroot(2) jail, where it can only access it's own files and directories. You should also get hold of sendmail 8 or IDA sendmail as these get rid of quite a few security related bugs.
regards, -- Glenn Satchell glenn@uniq.com.au | There's a fine line Uniq Professional Services Pty Ltd ACN 056 279 335 | between fishing and PO Box 70, Paddington, NSW 2021, (Sydney) Australia | standing on the shore Phone 02 380 6360 Pager 016 287 000 Fax 02 380 6416 | looking like an idiot.
From: kannan@catarina.usc.edu To: Lenny Turetsky <lturetsk@econ.yale.edu> Subject: Re: running sendmail setgid() instead of setuid() In-Reply-To: Your message of Tue, 28 Feb 1995 12:54:33 -0500.<Pine.SUN.3.91.950228124909.18216B-100000@aida.econ.yale.edu> Date: Wed, 01 Mar 1995 22:50:57 -0800 Sender: kannan@catarina.usc.edu Status: RO X-Status:
You don't need to change permissions on /var/spool/mail. In fact, the chmod -R /var/spool/mail is a bad idea, since now every user's mail file is readable by everyone else.
sendmail has to set uid to the user before it runs | commands, so individual users who have their own .forwards that pipe their mail through slocal, procmail etc. will fail. sendmail also writes out dead.letter directly onto user's home directory, which will fail if it is not running as root. There may be others, but I cannot recall off the top of my head.
If these two are not problems for you, you can certainly experiment with it. The piping thingy might not be a problem if your local mailer is procmail directly, as the BSD sendmail 8.6.10 configs can do.
Kannan
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:17 CDT