bill@pslu1.psl.wisc.edu (Bill Roth) (03/12/91)
I'm having trouble installing UUCP on a decstation 3100. If I install a new host in L.sys, and create the appropriate directories, kill sendmail freeze the configuration file, and restart sendmail, when I mail to the new host, it does not find it. The mailer returns a message that says: host "newhost" not connected to pslu1 by uucp. Where does sendmail pick up the UUCP hosts, and how? -- ------------------------------------------------------------------------ Bill Roth, University of Wisconsin Physical Sciences Laboratory email: bill@pslu1.psl.wisc.edu bill@wiscpsl.bitnet / (608)-873-6651
rickert@mp.cs.niu.edu (Neil Rickert) (03/12/91)
In article <1991Mar12.011642.17723@pslu1.psl.wisc.edu> bill@pslu1.psl.wisc.edu (Bill Roth) writes: >I'm having trouble installing UUCP on a decstation 3100. If I install >a new host in L.sys, and create the appropriate directories, kill sendmail >freeze the configuration file, and restart sendmail, when I mail >to the new host, it does not find it. The mailer returns a message that >says: host "newhost" not connected to pslu1 by uucp. > >Where does sendmail pick up the UUCP hosts, and how? This depends on the design of 'sendmail.cf'. A popular method is to define a class, say $=U, which matches all connected UUCP hosts. Look for a line: CUuuhost1 uuhost2 ... or perhaps CU uuhost1 CU uuhost2 ... or perhaps FU/pathname/of/file_containing UUCP hosts In the above, 'U' could be just about any letter of the alphabet. grep '^[FC]' sendmail.cf can be very helpful in guessing which letter is used. (A particulary undesirable approach uses FU/usr/lib/uucp/L.sys which has the wonderful effect of putting all passwords in L.sys into the freeze file, and into an core dumps from sendmail). -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
jch@hollie.rdg.dec.com (John Haxby) (03/12/91)
In article <1991Mar12.011642.17723@pslu1.psl.wisc.edu>, bill@pslu1.psl.wisc.edu (Bill Roth) writes: |> I'm having trouble installing UUCP on a decstation 3100. If I install |> a new host in L.sys, and create the appropriate directories, kill sendmail |> freeze the configuration file, and restart sendmail, when I mail |> to the new host, it does not find it. The mailer returns a message that |> says: host "newhost" not connected to pslu1 by uucp. |> |> Where does sendmail pick up the UUCP hosts, and how? Look for the line that contains "L.sys" in the sendmail configuration file, make sure that it is not commented out :-) and check that the scanf(3s) format string on that line will indeed pick out the UUCP hostnames from L.sys. -- John Haxby, Definitively Wrong. Digital <jch@wessex.rdg.dec.com> Reading, England <...!ukc!wessex!jch>
jch@hollie.rdg.dec.com (John Haxby) (03/12/91)
In article <1991Mar12.035457.18829@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: |> (A particulary undesirable approach uses |> FU/usr/lib/uucp/L.sys |> which has the wonderful effect of putting all passwords in L.sys into |> the freeze file, and into an core dumps from sendmail). Except that sendmail makes sure the freeze file is mode 600 ... we like to fix security holes. -- John Haxby, Definitively Wrong. Digital <jch@wessex.rdg.dec.com> Reading, England <...!ukc!wessex!jch>
rickert@mp.cs.niu.edu (Neil Rickert) (03/12/91)
In article <1991Mar12.102259.1777@hollie.rdg.dec.com> jch@hollie.rdg.dec.com (John Haxby) writes: > >In article <1991Mar12.035457.18829@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: >|> (A particulary undesirable approach uses >|> FU/usr/lib/uucp/L.sys >|> which has the wonderful effect of putting all passwords in L.sys into >|> the freeze file, and into an core dumps from sendmail). > >Except that sendmail makes sure the freeze file >is mode 600 ... we like to fix security holes. Mode 600 prevents someone running 'strings' on the freeze file. But it is pretty easy to coax 'sendmail' in to generating a core dump owned by the person who invokes 'sendmail', and all the same information should be there. This risk is also present if you don't use a freeze file. A much safer approach is to run 'uuname' into a file, and use that file in an F line in 'sendmail.cf'. The whole thing can be run from a makefile which redoes the 'uuname' if L.sys changes, then rebuilds the freeze file if the file containing 'uuname' output changes. (With a little care in preparing a suitable shell script, you can have the 'make' also kill and restart the sendmail daemon when the freeze file changes.) -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
jch@hollie.rdg.dec.com (John Haxby) (03/12/91)
In article <1991Mar12.130319.14972@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: |> Mode 600 prevents someone running 'strings' on the freeze file. But it is |> pretty easy to coax 'sendmail' in to generating a core dump owned by the person |> who invokes 'sendmail', and all the same information should be there. This |> risk is also present if you don't use a freeze file. How? sendmail catches the quit signal and you can't send it your favourite core-dumping signal unless you are root. Unless you have a dead-cert bug that makes sendmail drop core every time .... -- John Haxby, Definitively Wrong. Digital <jch@wessex.rdg.dec.com> Reading, England <...!ukc!wessex!jch>
rickert@mp.cs.niu.edu (Neil Rickert) (03/13/91)
In article <1991Mar12.143810.7383@hollie.rdg.dec.com> jch@hollie.rdg.dec.com (John Haxby) writes: > >In article <1991Mar12.130319.14972@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: >|> Mode 600 prevents someone running 'strings' on the freeze file. But it is >|> pretty easy to coax 'sendmail' in to generating a core dump owned by the person >|> who invokes 'sendmail', and all the same information should be there. This >|> risk is also present if you don't use a freeze file. > >How? sendmail catches the quit signal and you can't send it >your favourite core-dumping signal unless you are root. >Unless you have a dead-cert bug that makes sendmail >drop core every time .... [I have added comp.mail.sendmail to the newsgroups, because of the importance of this issue. :nwr] Must I spell out the details of a security problem you may have inflicted on your users? That would only open up the problem further for everyone to see and perhaps take advantage of. For the time being, I will not spell it out. The bug is not in 'sendmail', but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to read a file such as L.sys which contains confidential information. DON'T DO IT. Making the freeze file mode 600, or running without a freeze file is at best a partial solution. It prevents the direct attack of 'strings sendmail.fc'. But someone familiar with the workings of sendmail CAN coerce it into taking a publicly readable core dump which is likely to contain a copy of the confidential information. And it does not require root privileges to do this. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
greywolf@unisoft.UUCP (The Grey Wolf) (03/27/91)
/* <1991Mar12.171523.30268@mp.cs.niu.edu> by rickert@mp.cs.niu.edu (Neil Rickert)
*
* [I have added comp.mail.sendmail to the newsgroups, because of the importance
* of this issue. :nwr]
*
* For the time being, I will not spell it out. The bug is not in 'sendmail',
* but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to
* read a file such as L.sys which contains confidential information.
* DON'T DO IT.
Smart move.
*
* Making the freeze file mode 600, or running without a freeze file is at
* best a partial solution.
I will now close my eyes so the room will be empty.
*
* It prevents the direct attack of 'strings sendmail.fc'. But someone
* familiar with the workings of sendmail CAN coerce it into taking a publicly
* readable core dump which is likely to contain a copy of the confidential
* information. And it does not require root privileges to do this.
*
Um, pardon, but it *does* require root permission to generate a core dump
from a setuid-root executable%. Never mind that making /usr/lib/uucp/L.sys
part of the configuration via an F line is not a smart move.
This hole must be *really* obscure. {flaming? send me mail.}
*
* --
* =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* Neil W. Rickert, Computer Science <rickert@cs.niu.edu>
* Northern Illinois Univ.
* DeKalb, IL 60115 +1-815-753-6940
% Under any *reasonable* kernel, this is true: A core can only be generated
if the invoking uid and the real uid are identical, and even then only if
the executable has read permission. This goes out the window if you're
the super-user.