rickert@mp.cs.niu.edu (Neil Rickert) (03/13/91)
In article <1991Mar12.143810.7383@hollie.rdg.dec.com> jch@hollie.rdg.dec.com (John Haxby) writes: > >In article <1991Mar12.130319.14972@mp.cs.niu.edu>, rickert@mp.cs.niu.edu (Neil Rickert) writes: >|> Mode 600 prevents someone running 'strings' on the freeze file. But it is >|> pretty easy to coax 'sendmail' in to generating a core dump owned by the person >|> who invokes 'sendmail', and all the same information should be there. This >|> risk is also present if you don't use a freeze file. > >How? sendmail catches the quit signal and you can't send it >your favourite core-dumping signal unless you are root. >Unless you have a dead-cert bug that makes sendmail >drop core every time .... [I have added comp.mail.sendmail to the newsgroups, because of the importance of this issue. :nwr] Must I spell out the details of a security problem you may have inflicted on your users? That would only open up the problem further for everyone to see and perhaps take advantage of. For the time being, I will not spell it out. The bug is not in 'sendmail', but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to read a file such as L.sys which contains confidential information. DON'T DO IT. Making the freeze file mode 600, or running without a freeze file is at best a partial solution. It prevents the direct attack of 'strings sendmail.fc'. But someone familiar with the workings of sendmail CAN coerce it into taking a publicly readable core dump which is likely to contain a copy of the confidential information. And it does not require root privileges to do this. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
greywolf@unisoft.UUCP (The Grey Wolf) (03/27/91)
/* <1991Mar12.171523.30268@mp.cs.niu.edu> by rickert@mp.cs.niu.edu (Neil Rickert)
*
* [I have added comp.mail.sendmail to the newsgroups, because of the importance
* of this issue. :nwr]
*
* For the time being, I will not spell it out. The bug is not in 'sendmail',
* but in any use in 'sendmail.cf' of an 'F' line which requires sendmail to
* read a file such as L.sys which contains confidential information.
* DON'T DO IT.
Smart move.
*
* Making the freeze file mode 600, or running without a freeze file is at
* best a partial solution.
I will now close my eyes so the room will be empty.
*
* It prevents the direct attack of 'strings sendmail.fc'. But someone
* familiar with the workings of sendmail CAN coerce it into taking a publicly
* readable core dump which is likely to contain a copy of the confidential
* information. And it does not require root privileges to do this.
*
Um, pardon, but it *does* require root permission to generate a core dump
from a setuid-root executable%. Never mind that making /usr/lib/uucp/L.sys
part of the configuration via an F line is not a smart move.
This hole must be *really* obscure. {flaming? send me mail.}
*
* --
* =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* Neil W. Rickert, Computer Science <rickert@cs.niu.edu>
* Northern Illinois Univ.
* DeKalb, IL 60115 +1-815-753-6940
% Under any *reasonable* kernel, this is true: A core can only be generated
if the invoking uid and the real uid are identical, and even then only if
the executable has read permission. This goes out the window if you're
the super-user.