On Thu, Jan 02, 2003, Terry Lambert wrote: > Claus Assmann wrote: > > On Thu, Jan 02, 2003, Terry Lambert wrote: > > > Claus Assmann wrote: > > > > What can you do with smmsp group access? > > > > > Send tons of SPAM. Execute code as mailuser to raise my priviledge > > > to root, and then execute code as root. > > > > > 8-). > > > > Show me a way to do the latter. If you can do that, then it's > > a bug that needs to be fixed.
> If it's a bug that needs to be fixed, it's a bug in the host OS, > and not something that sendmail can address. So your claim is wrong. You can't use the mailuser account to raise your priviledges to root. > As I said before, I understand the PR problem of having a remote > exploit be a remote root exploit vs. a remote $MAILUSER exploit: Ok, let me say it once: this is B.S. This is not a P.R. problem, it is a real technical problem as I proved to you before. Since this discussion is off-topic for this list and you are not able to prove your point, I stop here. If you want to continue, I invite you to read the sendmail 9 design document and to tell me which of the parts that involve the security features of it are flawed. http://www.sendmail.org/~ca/email/sm-9-rfh.html To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
