The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #3 1989-01-26 (1 file, 1591 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/103.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Thu, 26 Jan 89 19:20:09 PST
Subject: Security Digest V1 #3

Security Digest Volume 1 Issue 3

subject(s):

            do not run fingerd as root
            re: sendmail bug
            re: YA sendmail bug
            Yet Another Sendmail Bug
            Re: Moderated Security List

------------------------------------------------------------------------

Date: Mon, 23 Jan 89 23:57:06 EST
From: Bill Wisner <uunet!zug.ai.mit.edu!wisner>
Subject: do not run fingerd as root

This problem is old news, but I still see it all over the place. Many
people apparently don't know.

Do not, ever, have inetd run fingerd as root. Doing so allows anybody to
read any protected file. Picture:

% ln -s /protected/file/in/protected/directory .plan
% finger wisner@localhost

There's that protected file. The solution, of course, is to have fingerd
run under a harmless UID, like nobody.

------------------------------------------------------------------------

Date: Tue, 24 Jan 89 10:07:08 CST
From: "Matt Crawford" <uunet!oddjob.uchicago.edu!matt>
Subject: re: sendmail bug

I tried the "-oQ." bug mentioned by Paul Hite against sendmail 5.59
running on a Sun.  Sendmail gave a message "(resetting uid)" and
logged an error:

Jan 24 10:02:03 localhost:      11755 sendmail: bogus: SYSERR: qfbogus: line 3: readqf: cannot open /etc/protectedfile: Permission denied

The cure, therefore, is to update your sendmail.  Paul neglected to
say what versions were running on the ultrix and HP systems he tried.

------------------------------------------------------------------------

Date: Wed, 25 Jan 89 07:52:46 +1100
From: Robert Elz <uunet!munnari!kre>
Subject: re: YA sendmail bug

> I suggest simply losing the -oQ option.  This is really just another
> debugging feature.

Unfortunately, its not .. this has real uses outside the debugging
environment.  I have used it to handle SMTP mail over a link which is
only available at certain fixed times of day .. the messages are all
queued in an alternate queue directory, and at the appropriate time
sendmail -q -oQ/whatever is used to clear the queue.

> If we must have a -oQ option then is should be available only to root.

This is a much better idea, its also easy.

------------------------------------------------------------------------

Date: Wed, 25 Jan 89 08:39:45 -0800
From: uunet!okeeffe.Berkeley.EDU!bostic (Keith Bostic)
Subject: Yet Another Sendmail Bug

This bug was fixed, at Berkeley, as far as I can tell, in late 1984.  The
-oQ option is *very* useful at large sites that wish to run multiple queues.
However, if you run with your standard queue directory (normally /usr/spool/
mqueue) as 777 or something equally silly, the bug report applies.

>  No kidding.  The 4.1BSD [I think] `lock' had a hardcoded magic
>  unlock password ("hasta la vista"), and ^Z would stop it as

This stupidity was fixed, at Berkeley, in early 1984.  The current
code for lock(1) is publicly available on uunet.

------------------------------------------------------------------------

Date: Tue, 24 Jan 89 12:42:58 EDT
From: uunet!dptcdc!bar (Brian Ruptash)
Subject: Re: Moderated Security List

I'd also suggest a Subject: line, containing the digest name, volume
and issue number (ie. "Security Digest Vm #n").  Right now, there
is no subject line.

[automatically done for this and all future digests - neil]

END OF DOCUMENT