Nicolas Williams wrote: > On Wed, Nov 11, 2009 at 12:44:13PM -0800, Liane Praza wrote: >> 4.11. Security Impact: >> >> During normal operation smtp-notify must invoke sendmail to deliver >> email notifications. Becuase sendmail is not privilege-aware and >> because sendmail must use setuid to set it's effective uid >> to the user whose spool it must write to, we are forced to run >> smtp-notify with all privileges. > > Huh? You mean that all privileges must remain in L? Or all privileges > must remain asserted in E? I don't understand why the latter would be > required, and as for the former, it should suffice to keep PROC_SETID in > L (since PROC_SETID is needed in L in order for exec()s of set-uid/set- > gid executables to affect the process' credentials). > > Perhaps you mean that the smtp-notify processes must run with euid == 0 > instead of noaccess so that sendmail allows it to send mail?
Yes - I'm admittedly a newbie when it comes to privileges :) I just spoke with Nicolas on the phone and he was kind enough to explain the privilege mechanism to me and give me some pointers for properly determining the minimum set of privileges needed. Based on that conversation it seems that smtp-notify should be able to reduce it's E and P sets to just basic as long as it retains the PROC_SETID privilege in the L set. I will test and verify this later today. Thanks Nick! rob
