Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Root shell vixie cron exploit

From: jk () CSUCHICO EDU (John Kennedy)
Date: Fri, 3 Sep 1999 17:19:47 -0700

On Wed, Sep 01, 1999 at 09:08:55PM +0400, Seva Gluschenko wrote:

man sendmail:
/-C
...skipping...
      -Cfile  Use alternate configuration file.  Sendmail refuses to run
              as root if an alternate configuration file is specified.

and it does, for sure %-).

Just tested this on different versions of FreeBSD and had no effects
except Mail Delivery message:

The following address has permanent fatal errors:
-C/tmp/vixie-cf gvs

So, sendmail _really_ refuses to accept -C key when run as root


  ???  I haven't looked hard at that exploit, but I know sendmail and that
is untrue.

  When an average (non-root) user tries to use a -C in sendmail, sendmail
will drop all its suid privs.  You can (mis-)configure sendmail to do
stupid things like run an arbitrary program is root -- your average user
just can't do that themselves.

  I had assumed that the whole problem with the vixie-cron exploit was
that cron allowed users to invoke sendmail with arbitrary command-line
options *as root*, so dropping SUID status doesn't do any good.
Sendmail doesn't try to protect the root user from themselves.
Previous By Date Next
Previous By Thread Next

Current thread: