RE: Security warning: using linuxconf(RedHat 6.2) and permissions of /usr/sbin/sendmail

Thu, 08 Jun 2000 10:24:55 -0700 

Three things:  

First, linuxconf is NOT owned by RedHat.  Therefore, it's not RedHat's
problem.  (You might want to convey your concerns to the linuxconf
maintainers)

Second, this is a GREAT example of why one might not want to trust someone
else's RPM packages.  

Third, if installing qmail via LWQ, your /usr/sbin/sendmail might very well
be symlinked to /var/qmail/bin/sendmail

(I did it that way)

Regards,
Geordon
(who has finally gone back to Slackware from RedHat)

-----Original Message-----
From: Peter Bieringer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 08, 2000 12:17 PM
To: [EMAIL PROTECTED]
Subject: Security warning: using linuxconf(RedHat 6.2) and permissions
of /usr/sbin/sendmail
Importance: High


Hi,

some days ago another guy mentioned that he has detected wrong permissions
on his RedHat system using 
qmail at the wrapper "/usr/sbin/sendmail".

I have reproduced this on 2 systems:

Scenario:
        RedHat 6.2 (including linuxconf 1.17r2)
        sendmail-RPM deinstall
        qmail-SRPM build and install


After original Qmail installation:
        /usr/sbin/sendmail 0755 root:qmail

After adding a user with "linuxconf":
        /usr/sbin/sendmail 6755 root:root (suid,sgid!)


That's really not Qmails intention that the wrapper runs now with suid
root...


So ***everyone using Qmail (or postfix also) on RedHat systems should do
following check***:

1) Test if sendmail-RPM is really not installed:

        [root@mail /root]# rpm -qi sendmail
        package sendmail is not installed


2) check permissions of wrapper binary "/usr/sbin/sendmail"

        [root@mail /root]# ls -al /usr/sbin/sendmail
BAD:    -rwsr-sr-x    1 root     root         9748 Apr 27 20:13
/usr/sbin/sendmail
GOOD:   -rwxr-xr-x    1 root     mail         9748 Apr 27 20:13
/usr/sbin/sendmail


3) Re-secure, if BAD:
        [root@mail /root]# chown root:mail /usr/sbin/sendmail


4) Turnarounds to prevent re-insecuring:
* do not use "linuxconf" anymore for adding users until RedHat has released
a new version which do no longer reset the owner/group/permissions of
"/usr/sbin/sendmail" (if it's not from the sendmail-RPM)
        
* setup a cron script with does 3) as often as possible (i.e. all hours or
shorter)


        Peter

Reply via email to