sendmail no longer installs setuid root when you compile it from source. instead the README suggests that you create a separate user and group and have that group have a setuid. redhat's version on the other hand IS set to setuid root (check /usr/sbin/sendmail.sendmail).
_________________________________ daniel a. g. quinn starving programmer understand that legal and illegal are political, and often arbitrary, categorizations; use and abuse are medical, or clinical, distinctions. - abbie hoffman ----- Original Message ----- Sent: Thursday, August 01, 2002 12:30 PM Subject: Re: mail server from source saga continues.... | On Tue, 2002-07-30 at 18:10, Gerry Doris wrote: | > | > I continue to see these claims that sendmail is insecure. However, I've | > yet to see anyone actually back this up. Would you please give me the | > details of why sendmail is insecure. | | It's install SUID root (may not be true in future versions, Red Hat | seems to have a solution to that particular problem) | It's one, very large, very complex application. | | Without even beginning to get into other problems, the two above are | enough that anyone with even a little security background will | acknowledge that sendmail is not, and can not be made, secure. SUID | applications should be as small as possible to accomplish their task: | less code means fewer problems to exploit. Any other common MTA makes | minimal use of root privileges and SUID binaries. | | Sendmail has a very long history of root exploits, both local and | remote. It shouldn't be hard to find them. Just look at | www.sendmail.org. | | | | | | -- | redhat-list mailing list | Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe | https://listman.redhat.com/mailman/listinfo/redhat-list | -- redhat-list mailing list Unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
