smtpd needs to be able to execute mda with user privileges to deliver mail to them, it cannot revoke all its privileges after binding ports. furthermore, mbox needs to be able to write to /var/mail forcing it to retain some privileges.
after I'm done dealing with the aftermath, i'll explain in a detailed mail what has allowed the bug to amplify from a simple logic issue to a catastrophe, and the plan to prevent future logic bug from having the same potential. January 29, 2020 2:07 PM, "Oriol Demaria" <sysad...@the-grid.xyz> wrote: > I understand that root might be required to open privileged ports, but then > how commands are run as > root when you exploit opensmtpd vulnerability? > > In case someone hasn't seen patch right now your system. > > Regards. > -- > Oriol Demaria > 0x58415679
