The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #071 [Regarding Berkeley's sendmail fix...] (1 message, 1021 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/071.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Jeff Forys <forys@cs.utah.edu>
To: phage
Date: Sun 00:44:22 06/11/1988 EST
Subject: Regarding Berkeley's sendmail fix...
References: [Thread Prev: 068] [Thread Next: 072] [Message Prev: 070] [Message Next: 072]

Berkeley's sendmail fix simply disallows the DEBUG command.  While
this plugs the hole in the case of remote SMTP connections, it's
still possible to invoke sendmail to mail directly to files and
invoke programs by using:

	/usr/lib/sendmail -d0.1 [...]

However, sendmail does go back to the real uid before doing this.

My problem is this.  I know of at least one site that allows
sendmail to be invoked by UUCP/uuxqt (i.e. it's in their L.cmds).
They then, will still have a *serious* security problem.

The patch I used here at Utah follows, and solves both problems.
Why did Berkeley opt for removal of DEBUG?  I know it's not in
RFC821, but was there another problem associated with it, or was
it simply not used enough?

Thanks,
Jeff Forys

*** /tmp/,RCSt1019027	Sat Nov  5 21:12:55 1988
--- recipient.c	Thu Nov  3 03:16:44 1988
***************
*** 202,208 ****
  	{
  		a->q_mailer = m = ProgMailer;
  		a->q_user++;
! 		if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
  		{
  			a->q_flags |= QDONTSEND|QBADADDR;
  			usrerr("Cannot mail directly to programs");
--- 202,208 ----
  	{
  		a->q_mailer = m = ProgMailer;
  		a->q_user++;
! 		if (a->q_alias == NULL && !QueueRun && !ForceMail)
  		{
  			a->q_flags |= QDONTSEND|QBADADDR;
  			usrerr("Cannot mail directly to programs");
***************
*** 251,257 ****
  		if (strncmp(a->q_user, ":include:", 9) == 0)
  		{
  			a->q_flags |= QDONTSEND;
! 			if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QBADADDR;
  				usrerr("Cannot mail directly to :include:s");
--- 251,257 ----
  		if (strncmp(a->q_user, ":include:", 9) == 0)
  		{
  			a->q_flags |= QDONTSEND;
! 			if (a->q_alias == NULL && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QBADADDR;
  				usrerr("Cannot mail directly to :include:s");
***************
*** 284,290 ****
  		{
  			p = rindex(buf, '/');
  			/* check if writable or creatable */
! 			if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QDONTSEND|QBADADDR;
  				usrerr("Cannot mail directly to files");
--- 284,290 ----
  		{
  			p = rindex(buf, '/');
  			/* check if writable or creatable */
! 			if (a->q_alias == NULL && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QDONTSEND|QBADADDR;
  				usrerr("Cannot mail directly to files");

END OF DOCUMENT