Re: Oops,I guess Sendmail wasn't secure after all...
Thus spake Boris ([EMAIL PROTECTED]): JA Not quite. More like someone inspects your free car and finds a button JA that can make it explode. Maybe he pushes the button, maybe not. Maybe he JA pushes the button on someone else's car. Are you willing to take that JA risk? I can imagine two situations where that would be the case: either Well, there is no button with a text like press me here -) for the public. Can we _please_ drop this? Boris has shown that his pitiful excuse for knowledge about his computer, his software, the Internet and just about everything else is not worth spending time on. If he does not go by himself, just killfile him and be done with it. This kind of bullshit is discussed with cluon sinks like Boris here hundreds of time every day on Usenet. No need to repeat that here. Thanks. Now: Boris, please crawl back under your stone, and the rest: let's talk about qmail again on the qmail list. Felix
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello Russell, Saturday, June 02, 2001, 5:38:43 AM, you wrote: RN Boris writes: RN I really can´t hear the qmail is the most secure bla bla anymore, RN really. RN Why? It's true. Yes it is true, and qmail is great, but it would be better to make a better documentation for qmail, and to offer bundles with a single makefile. My english is not very good, sorry. I mean qmail has better arguments as security only. Why no one makes a package with all you need to download and install, here is a suggestion: - qmail - the tcpserver - something good for pop before smtp - vpopmail - good tools for blocking spam, blocking mails from open relays, and so on - and other additions from other people i do not know There should be one file to download and the makefile should do nearly everything neccessary. I should not spend days to understand the different modules as a newbie, it takes too much time. RN At the moment I am evaluating qmail, and there RN are some things I am missing from sendmail. RN Like what? See above, a better installation, better documentation. I have written in my linux/unixbook a chapter about the installation and configuratio of qmail in a production environment, covering all neccessary topics (german language) but its too much for the stressed administrator. Strange argument, I know. I am a user only in this case. Putting a lot of snippets togeter for one package is not a bad idea and would give a boost to qmail (i think). -- Boris
Re: Oops,I guess Sendmail wasn't secure after all...
Boris([EMAIL PROTECTED])@2001.06.02 05:01:57 +: When I was using sendmail on my FreeBSD Server, it has never been hacked, very strange ugh? no. with your domain name, it is very unlikely to be a crack target ;-) if your domain is called cnn.com or the like, you would not run sendmail for the sake of security. most script kiddie attacks get fixed very fast in sendmail, but nobody will change the base design of the software which is potentially dangerous. /k -- question = ( to ) ? be : ! be; // Wm. Shakespeare KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karstenrohrbach.de -- alphangenn.net -- alphascene.org -- [EMAIL PROTECTED] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 PGP signature
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: I like sendmail, its slow - yes, but it is powerful and this silly bugs are fixed fast. Its just some C-Code, everyone knows this. LM Yeah, it is only a few hundred thousand lines of code, and you should have LM looked through it for bugs or exploits before you compiled it, right? It Well, this is a strange argument, sorry. There is no product without any errors, maybe a hello world program. If you write it in c++, its a design problem if you use a try..catch.. within the main clause or not, for example. There are a lot of security bugs everywhere in a lot of programs, the most of them are non-critical to critical, and some fanatic people are screaming about some really silly problems. Software engineering is a living process. Bugs are normal, the are reported and then fixed. Thats all, there are some more important things in live as i am the master i have found a (silly) bug. The peoples are screaming if they found a bug, they are the masters, but its just a bug, and after the bug is fixed, the problem is over. If you will find 100 bugs in sendmail they are fixed then after reporting them. The games is over, the problem is solved. The admin updates, and thats all. The day continues. Bugs are +just bugs+ and the are fixed after reporting them. -- Boris
Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
Why no one makes a package with all you need to download and install, here is a suggestion: - qmail - the tcpserver - something good for pop before smtp - vpopmail - good tools for blocking spam, blocking mails from open relays, and so on - and other additions from other people i do not know There should be one file to download and the makefile should do nearly everything neccessary. I should not spend days to understand the different modules as a newbie, it takes too much time. the author of qmail has specific rules for how qmail packages can be distributed. see http://cr.yp.to/qmail/dist.html basically, you can distribute so called var-qmail packages, but anything else seems to require the Dan Bernstein's approval.
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: LM If you bought (OK, got for free) a car, and it exploded, leaving you LM burned, then you waited a week to get a new car mailed to you, then you The car is not exploding, someone comes and looks at your car. He is searching and searching and searching until he finds a silly bug like the fuel meter showes something wrong, this could be a security risk but in fact the men is driving the car years without a problem. Some month he updates the car (new version) and thats all. -- Boris
Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
* Boris [EMAIL PROTECTED] [010602 16:28]: LM If you bought (OK, got for free) a car, and it exploded, leaving you LM burned, then you waited a week to get a new car mailed to you, then you The car is not exploding, someone comes and looks at your car. He is searching and searching and searching until he finds a silly bug like the fuel meter showes something wrong, this could be a security risk but in fact the men is driving the car years without a problem. Some month he updates the car (new version) and thats all. Not quite. More like someone inspects your free car and finds a button that can make it explode. Maybe he pushes the button, maybe not. Maybe he pushes the button on someone else's car. Are you willing to take that risk? I can imagine two situations where that would be the case: either you do something that is so unimportant for the rest of the world that noone bothers destroying your work, or you do something that is so good for everyone that noone will want to destroy your work, not even out of envy. Come on, not even the UN are _that_ good :-) -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ PGP signature
Re[4]: Oops,I guess Sendmail wasn't secure after all...
Hello Johan, JA Not quite. More like someone inspects your free car and finds a button JA that can make it explode. Maybe he pushes the button, maybe not. Maybe he JA pushes the button on someone else's car. Are you willing to take that JA risk? I can imagine two situations where that would be the case: either Well, there is no button with a text like press me here -) for the public. If we are talking about the security of a product, we have several things to take a look at. Internal security (a mailserver-only solution, mailserver+webserver, n mailservers, persons who access the mail queue as root). External security. Buffer overflows, chroot problems, jail problems, password problems. Design specific topics, what is secure, what is not secure, what can be implemented, what is not secure. As root i can read all the messages in clear text, sendmail or qmail - a security risk? An attack to privacy? Or just a design problem? Or is it not a design problem, its just normal? Security is relative. -- Boris
Re[2]: Oops,I guess Sendmail wasn't secure after all...
On Sat, 2 Jun 2001, Boris wrote: There should be one file to download and the makefile should do nearly everything neccessary. I should not spend days to understand the different modules as a newbie, it takes too much time. I would argue that you /should/ take the time. Qmail's power lies in its amazing flexibility and configurability, but the downside is that it's easy to get things not quite the way you wanted it. As a wise man once said (or words to that effect), If you can't find the time to do it right, how will you find the time to do it over? IMO, this applies to qmail in spades (and most of DJB's software in general). If you're in a hurry, the mail-related stuff bundled with your favorite distro (hopefully at least postfix-quality) is probably a better choice. That'll at least get you up and running till you can find the time to Understand And Do The Right Thing, or until a security compromise or broken setup forces you to make time. 8-) -- Adrian Ho [EMAIL PROTECTED]
Re: Oops,I guess Sendmail wasn't secure after all...
Aaron L. Meehan([EMAIL PROTECTED])@2001.06.01 12:14:20 +: I've been looking for a sucker.. OK I'll bet a six pack is doesn't. (or, if Bud, I'd demand a case) i put another six pack on top. Reasons per priv. mail -- regards, Patrick Patrick Atamaniuk [EMAIL PROTECTED] http://www.atamaniuk.de http://www.atabersk.de PGP signature
Re: Oops,I guess Sendmail wasn't secure after all...
On Sat, Jun 02, 2001 at 05:20:01PM +0200, Boris allegedly wrote: Hello Johan, JA Not quite. More like someone inspects your free car and finds a button JA that can make it explode. Maybe he pushes the button, maybe not. Maybe he JA pushes the button on someone else's car. Are you willing to take that JA risk? I can imagine two situations where that would be the case: either Well, there is no button with a text like press me here -) for the public. Of course there is, silly. Tell us, your mail progam seems to be The Bat! (v1.48f) Personal - did you write this program from scratch yourself or did you simply click a few buttons and install the work of someone else? Now, what do you think most script kiddies do? They don't scour the code for exploits as you imply with there is no button. They simply download the hard work of one or two people and install the pre-built button. It's trivial. So, press me here is as far away as a download. You're not seriously suggesting this is a serious secruity barrier are you? If we are talking about the security of a product, we have several things to take a look at. Internal security (a mailserver-only solution, mailserver+webserver, n mailservers, persons who access the mail queue as root). External security. Buffer overflows, chroot problems, jail problems, password problems. Design specific topics, what is secure, what is not secure, what can be implemented, what is not secure. You are obscuring definition with implementation (and jargon for that matter). As root i can read all the messages in clear text, sendmail or qmail - a security risk? An attack to privacy? Or just a design problem? Or is it not a design problem, its just normal? Security is relative. No it's not. You're futzing and confused. This is real simple. The security of a product is defined as a set of claims about providing certain protection. A security problem exists when the product does not meet a stated claim. Eg, qmail never claimed to protect clear text messages on disk from root, so why did you bring it up? However, both qmail explicitly and sendmail (somewhat less explicitly) do make claims about protecting against a user gaining elevated priviledges. This thread started from yet another alert about being able to corrupt the memory of sendmail. Corrupting memory is a tried and true method of gaining elevated priviledges and time and again this method *has* been used to gain elevated priviledges via sendmail. In other words, sendmail has repeatedly failed to live up to it's security claims and it looks like this current announcement may be just another example. So, inspite of what you say, you do not have to have several things to take a look at and you don't have to understand sentences full of buzzwords like chroot problems and jail problems... You simply ask the question has sendmail failed to live up to it's security claims. The answer is a repeated yes bordering on recidivism and no amount of obfuscation by you will change that fact. Your sole defense is that sendmail doesn't make such security claims explicitly and thus people are silly to infer such security. This is indeed a strong argument. Regards.
Re: Oops,I guess Sendmail wasn't secure after all...
At 12:25 PM 6/2/01, Mark Delany wrote: On Sat, Jun 02, 2001 at 05:20:01PM +0200, Boris allegedly wrote: Well, there is no button with a text like press me here -) for the public. Of course there is, silly. Now, what do you think most script kiddies do? They don't scour the code for exploits as you imply with there is no button. They simply download the hard work of one or two people and install the pre-built button. It's trivial. So, press me here is as far away as a download. You're not seriously suggesting this is a serious secruity barrier are you? This is a very, very good point. We have unfortunately reached a stage where the crackers don't need to actually _know_ anything anymore. They download a port scanner and a root kit, and can compromise your machine without having any real understanding of what's going on. You not only have to protect yourself from the skilled, determined cracker, but also from the unskilled, casual cracker. The former is far more difficult than the latter, but fortunately the really talented black hats have better things to do than hit 99% of the machines out there. We had a machine compromised by an exploit in the wu-ftpd package a couple of years ago. Fortunately, I happened to be on the machine when it occurred, and was able to monitor the cracker's activities and shut him down before he was able to cause any real damage. Based upon the things he typed, he had no idea what he was doing: cd /etc/init. cd /etc/init.d ls cd etc ls ls init* ls rc* cd rc.local ls ls -al rc.* cd init.d And yet, in the space of 5-10 minutes, he was able to break in and install three trojans. Sendmail can be secure, if you really know what you're doing and stay on top of the patches that come out (every three days or so). I don't have that kind of time, so I'd rather have a mail server that is secure out of the box. We've been gradually migrating our domains from sendmail to qmail over the last ~year; I've had to patch sendmail at least twice, qmail hasn't needed anything since install. I can deal with (sometimes) sketchy documentation and the hassle of installing 12 different things to get the results I want - that's still easier than restoring a machine that's been compromised. Todd
Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
Boris writes: If you will find 100 bugs in sendmail they are fixed then after reporting them. The games is over, the problem is solved. The admin updates, and thats all. Actually, the admin doesn't update. Or rather, some do, and some don't. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | Microsoft rivets everything. 521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | You own a screwdriver.
Oops,I guess Sendmail wasn't secure after all...
From: Gregory Neil Shapiro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: sendmail 8.11.4 and 8.12.0.Beta10 available Sendmail, Inc., and the Sendmail Consortium announce the availability of sendmail 8.11.4 and 8.12.0.Beta10. 8.11.4 revamps signal handling within the MTA in order to reduce the likelihood of a race condition that can lead to heap corruption as described in Michal Zalewski's advisory. The problems discussed in the advisory are not currently known to be exploitable but we recommend upgrading to 8.11.4 in case a method is found to exploit the signal handling race condition. 8.11.4 also fixes other bugs found since the release of 8.11.3. 8.12.0.Beta10 includes the changes in signal handling from 8.11.4. Moreover, there is a significant change compared to earlier beta versions: by default sendmail is installed as a set-group-id binary; a set-user-id root binary will be only installed if the proper target is selected (see sendmail/SECURITY). Beta10 fixes also a few bugs, especially possible core dumps during queue runs and in a milter application (using smfi_chgheader), possible rejection of messages due to an uninitialized variable, and omitting queue runs if queue groups are used and the total number of queue runners is restricted to less than the sum of the individual queue runners. Also from bugtraq: From: [EMAIL PROTECTED] (Michal Zalewski) Subject: Unsafe Signal Handling in Sendmail RAZOR advisory: Unsafe Signal Handling in Sendmail Issue Date: May 28, 2001 Contact: Michal Zalewski [EMAIL PROTECTED] Topic: Sendmail signal handlers used for dealing with specific signals are vulnerable to numerous race conditions. Affected Systems: Any systems running sendmail (tested on sendmail 8.11.0, 8.12.0-Beta5) Details: Sendmail signal handlers used for dealing with specific signals (SIGINT, SIGTERM, etc) are vulnerable to numerous race conditions, including handler re-entry, interrupting non-reentrant libc functions and entering them again from the handler (see References for more details on this family of vulnerabilities). This set of vulnerabilities exist because of unsafe library function calls from signal handlers (malloc, free, syslog, operations on global buffers, etc). ... References: For more information on signal delivery race conditions, please refer to RAZOR whitepaper at: http://razor.bindview.com/publish/papers/signals.txt Anyone want to takes bets on whether qmail has unsafe signal handlers? -Dave
Re: Oops,I guess Sendmail wasn't secure after all...
Quoting Dave Sill ([EMAIL PROTECTED]): Anyone want to takes bets on whether qmail has unsafe signal handlers? I've been looking for a sucker.. OK I'll bet a six pack is doesn't. (or, if Bud, I'd demand a case) Aaron
Re: Oops,I guess Sendmail wasn't secure after all...
Hello Dave, DS Anyone want to takes bets on whether qmail has unsafe signal handlers? DS -Dave I really can´t hear the qmail is the most secure bla bla anymore, really. I like sendmail, its slow - yes, but it is powerful and this silly bugs are fixed fast. Its just some C-Code, everyone knows this. At the moment I am evaluating qmail, and there are some things I am missing from sendmail. When I was using sendmail on my FreeBSD Server, it has never been hacked, very strange ugh? -- Boris
Re: Oops,I guess Sendmail wasn't secure after all...
On Sat, Jun 02, 2001 at 05:01:57AM +0200, Boris allegedly wrote: bugs are fixed fast. Its just some C-Code, everyone knows this. This is a troll, right? I have a lock on my front door that I know can be opened with a paperclip, but heck, those nice people who make the locks will supply me with a new lock soon, so what's the problem? When I was using sendmail on my FreeBSD Server, it has never been hacked, very strange ugh? This is a troll, right? I left my front door unlocked last night and no one walked in and stole anything, ergo, front door locks are a complete waste of time. Ok. It is a troll, no one could be silly enough to say those things and believe them. Regards.
Re: Oops,I guess Sendmail wasn't secure after all...
Boris writes: I really can´t hear the qmail is the most secure bla bla anymore, really. Why? It's true. At the moment I am evaluating qmail, and there are some things I am missing from sendmail. Like what? -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | Microsoft rivets everything. 521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | You own a screwdriver.
Re: Oops,I guess Sendmail wasn't secure after all...
I like sendmail, its slow - yes, but it is powerful and this silly bugs are fixed fast. Its just some C-Code, everyone knows this. Yeah, it is only a few hundred thousand lines of code, and you should have looked through it for bugs or exploits before you compiled it, right? It is just some C code, so you checked it out and fixed these bugs even before they were posted on bugtraq, right? I am glad that someone else is intimately familiar with the various bugs/incompatibilities with the various standard C libraries, OS differences regarding race conditions, etc. Please post a URL to your reviewed commented sendmail source. If you bought (OK, got for free) a car, and it exploded, leaving you burned, then you waited a week to get a new car mailed to you, then you drove it a month, it exploded again.repeat for 15+ years.would you not think of maybe trying a different free car? Is anyone offering a bounty on trolls? --ListMonkey = All your SMTP are belong to us.