Re: Sendmail up to 8.9.1 - mail.local instroduces new class of

From: Jonathan Stott (jstottat_private)
Date: Mon Aug 10 1998 - 06:17:26 PDT

Next message: Dag-Erling Coidan Smørgrav: "Re: YA Apache DoS attack"

Previous message: Florian Weimer: "Re: Object tag crashes Internet Explorer 4.0"
Next in thread: Jeremiah Rothschild: "Re: Sendmail up to 8.9.1 - mail.local instroduces new class of"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[description of DoS attacks via mail.local snipped]

> Fix:
>
> It's stupid to make any part of sendmail package setuid. It's really
> possible to make sendmail work with no setuid nor setgid, by arranging
> proper communication with sendmail daemon, if running. Also, I suggest to
> be at least careful with new features of recent Sendmail version :-)

mail.local, while it is distributed with sendmail, is not part of sendmail.

>From sendmail-8.9.0/README:
:mail.local      The source for the local delivery agent used for 4.4BSD.
:                THIS IS NOT PART OF SENDMAIL! and may not compile
:                everywhere, since it depends on some 4.4-isms.  Warning:
:                it does mailbox locking differently than other systems.

A better fix would be to use procmail, or /bin/mail, or some other
program for local mail delivery.

-JS

Next message: Dag-Erling Coidan Smørgrav: "Re: YA Apache DoS attack"
Previous message: Florian Weimer: "Re: Object tag crashes Internet Explorer 4.0"
Next in thread: Jeremiah Rothschild: "Re: Sendmail up to 8.9.1 - mail.local instroduces new class of"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:53 PDT