Sendmail security issue
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Mon Aug 18 18:53:58 UTC 2003
Hi everybody!
I am wondering since some months why all new Sendmail versions in Redhat,
even those in Rawhide, Severn and Taroon, have a default setup in
sendmail.mc/sendmail.cf configuration files which breaks the security
architecture coming with Sendmail 8.12.x.
While with Sendmail 8.11.x and earlier all processes run as root, Sendmail
8.12.x has a main process as root and a separated queue runner process
running as unpriviledged user smmsp. In all Redhat Sendmail 8.12.x this
concept is broken by using define(`confTRUSTED_USER', `smmsp') in the
sendmail.mc and therefore sendmail.cf files. So default Redhat Sendmail
hosts are much less secure than they should be.
Months ago I mailed to Florian LaRoche about this, it had no effect at all.
It's not a bug, but a security flaw which is not neccessary.
Regards
Alexander Dalloz
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
More information about the test
mailing list