I have a question or two about the update contents. What I see in the INSTALL security disclaimer and FAQ don't seem to match what I see in testing.
The INSTALL file says to really be secure, make the mode on the majordomo directory 750, and it leaves how to make that work with your MTA as an exercise to the user, pointing them to the FAQ. The solution in the FAQ doesn't seem to work for me (RedHat Linux, sendmail 8.9.3 including smrsh). Something's missing in the docs.
I installed majordomo from sources, and added the appropriate link in /etc/smrsh for wrapper so sendmail could find it. What I found was that wrapper doesn't work unless I make the mode on /home/majordom 751 (added execute), which to me doesn't make it safer to put on local systems as 'wrapper' is a well known program name and users can still invoke it (in fact they can read it through the link in /etc/smrsh). So can somebody tell me what changing the permissions did that was of any benefit....and whether it's any tighter than it was before ?
Secondly, I downloaded the RedHat rpm file and looked at it, and they also have /home/majordom mode 751 (presumably for the same reason). Good ? Bad ? Other ?
Bottom line - how do you set a properly working sendmail 8.9.x installation with smrsh up so that majordomo-1.94.5 can run with its directory at mode 750 ? I don't see that in the FAQ at all.
Lastly, seems to me that the patches to resend were the fix (at least the published exploit fails to work now). Is there anything to be gained by changing the mode on majordomo's home to remove all world access ?
G-4792 Systems Engineering - Systems Design
voice - (425) 957-5111 pager - (206) 797-2715
> From: Chan Wilson[SMTP:firstname.lastname@example.org]
> Sent: Tuesday, January 18, 2000 6:37 AM
> To: email@example.com; firstname.lastname@example.org; email@example.com
> Subject: Majordomo 1.94.5 released.
> I've just placed majordomo-1.94.5.tgz onto ftp.sgi.com:/other/majordomo/.
> The only code change was the regexp tweak that Dave mentioned earlier.
> I also updated the docs per my other notes to the -workers list.