We have our Majordomo working at last, this mailing-list management
software is given us a great solution, but we have some doubts about the
wrapper and security, the system and configuration is shown below:
-wrs--x--x root majordom wrapper
dwrxr-x--x majordom majordom majordomo (Majordomo directory)
majordom (UID=349, GID=52 (majordom group))
There are two major ways that sendmail can be run: as SUID root process;
or as an ordinary process. When the sender of the mail is local, and
delivery is via the prog delivery agent (as in the case of wrapper
when is invoked through the aliases line:
"|/my/path/majordomo/wrapper majordomo"),then sendmail changes
its owner an group identity to that of the sender. If the sender is root,
sendmail changes its owner an group identity to that specify by the g and
u options (my sendmail.cf is set to g=u=daemon). Otherwise, when the
sender of the mail is not in the local machine, sendmail changes its owner
and group identity to that specify by the g and u options.
Finally my question: is there any chance to change the wrapper
permissions to -wrs--x--- and have the sendmail delivering local mails?
The problem is that if the wrapper is set to
-wrs--x--- root majordom wrapper
and then sendmail changes its owner an group identity to that of the
sender, it won't be able to execute the wrapper and the result will be
an unknown mailer error 1.
I tried to follow David Wolfe suggestion of changing the settings to
-wrs--x--- root daemon wrapper
but the result was that when the sender of the mail was not in the local
machine delivery worked fine, but when the sender of the mail was local,
sendmail wasn't able to execute the wrapper and the result was an unknown
mailer error 1.
We are worried about security: is the bit x set to others a
security hole?. We were able to copy a shell to the majordomo directory
and to run it with /pron2/majordomo/wrapper sh and we succeded!
Victor Daniel Gadda
Jose Ignacio Alvarez Hamelin
Facultad de Ingenieria de la Universidad de Buenos Aires.
:-) :-) :-) :-) :) :-) :-) :-) :-)