Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Sendmail and secure design
Jason Miller, 2006-05-01

Sendmail's wide market share, ancient code base and long vulnerability history make it an interesting example about the need for software to start from a secure design.

Comments Mode:
An Example 2006-05-02
Anonymous
Where can we find a better example to this (not related to sendmail) than the vulnerability recently pointed out in Oracle
http://www.securityfocus.com/bid/17699...

[ more ]  [ reply ]
Sendmail and root??? 2006-05-02
Anonymous
"Sendmail might be a relatively old application, but it wasn't designed with the ultimate goal of security in mind. Sendmail's liberal use of root access exacerbates these problems."

It has been at least 5 years since sendmail has used root routinely. The MTA can run as anyone or no-one. It only ...

[ more ]  [ reply ]
Sendmail and secure design 2006-05-02
Robert Banz (rob@nofocus.org)
I'm surprised that people are still going around saying "sendmail runs as root." Most operating systems that integrate sendmail now ship it running as another user (such as smmsp, sendmail, etc.) and leave the root-running to something less dangerous, such as the local delivery agent.

It's besid...

[ more ]  [ reply ]
Sendmail and secure design 2006-05-02
J. Lasser
Sendmail hasn't run primarily as root in a very long time now. Has Jason run sendmail in the last two years, or even looked at its current design? This article seems out of date, at best....

[ more ]  [ reply ]
Sendmail 2006-05-03
Alexey Vesnin
It's a good point to find, describe and determine the bug/inconvinience or just a mistype in application - we're ALL humans, not the bots. We have a right to make mistakes sometimes, but don't all the times. Remember Windows XP SP1 - yes, there were alot of good bugfixes, adding two time more proble...

[ more ]  [ reply ]
Sendmail and secure design 2006-05-03
Matthew Murphy
I buy the idea that there are a finite number of vulnerabilities in any given code base. For instance, one given version of Sendmail, as-released, will only contain a certain number of bugs. This is only logical, as Sendmail is made up of a finite amount of code.

As such, maturity generally hel...

[ more ]  [ reply ]
Sendmail and root??? 2 2006-05-09
Anonymous
Agree with the anonymous poster of "Sendmail and root???"...

I guess sendmail is primarily used on gateways and thefor DON'T need to be root. There are a few scenarios where you need to runs as root. Like for example with local dielivery. But why do that on a gateway?

/P...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus