Re: Fw: Anonymous Qmail Denial of Service

[Peter van Dijk]

On Mon, Jan 04, 1999 at 11:49:19AM -0600, Mate Wierdl wrote:
>    
>    3) Why not write the uid into a Received: line automatically?
> 
> If you do
> 
>    echo |qmail-queue
> 
> you see
> 
>     cat /var/qmail/queue/mess/16/179646
>     Received: (qmail 32431 invoked by uid 500); 4 Jan 1999 17:32:36 -0000
> 
> so I guess the same should happen just by doing 
> 
>    qmail-queue
> 
> But does qmail-queue have to be executable by o?  If a user cannot
> execute qmail-queue directly, the identification problem disappear,
> does not it?

That would require qmail-inject and qmail-smtpd, among others, to be suid
or sgid to some uid/gid that will allow them to execute qmail-queue.
That would be Wrong(tm).

Greetz, Peter.
-- 
<squeezer> AND I AM GONNA KILL MIKE                |          Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent:      | [EMAIL PROTECTED]
<squeezer>   @date = localtime(time);              |  realtime security d00d
<squeezer>   $date[5] += 2000 if ($date[5] < 37);  | 
<squeezer>   $date[5] += 1900 if ($date[5] < 99);  |    -x- available -x-