Summary (kinda): smtp question

From: Jim Meritt (meritj@fincen.treas.gov)
Date: Fri Sep 20 1996 - 13:15:26 CDT


The original question was:

> The default UID for the smtp account (or so I was told. It IS the
> UID in the boxes here, and they claim they have not been changed)
> is '0'. This UID is not one I want other than root to have.
>
> Any idea why it may be so, and what impact changing it to something
> else (and recommends as to what the 'else' would be)?

And I've been firmly advised in opposite directions:
_______________________________________________________________________________
>From fpardo@tisny.com

The 'sendmail' program needs to execute, part of the time, with root
privileges. The good news is that it changes its identity at appropriate
times, so as a rule nothing should go wrong (barring bugs in 'sendmail',
of course).

Here are the titles of two very good books that you can refer to for
more details:

        Unix System Administration Handbook (2nd ed.)
        Evi Nemeth et al.
        Prentice Hall
        ISBN 0-13-151051-7

        sendmail
        Bryan Costales et al.
        O'Reilly & Associates
        ISBN 1-56592-056-2

The impact of changing the UID will be inability to send and receive
e-mail, which I'm sure you don't want.

_______________________________________________________________________________
>From rali@meitca.com

Several reasons:

   1) SMTP listens on TCP port 25
       Ports numbered below 1024 can only be accessed by a process with
       root UID; this is enforced by the kernel and provides a basic
       level of trustworthiness (much less in a world that lets PeeCees
       talk TCP/IP ...)

   2) In order to open a user mailbox and append new messages, the SMTP
       server must invoke the system call seteuid() and assume the
       privileges of the user.

   3) In order to assure the privacy of mail in the queue directory,
       access to that directory must be restricted

Some flavours of sendmail and others SMTP servers can be run with less
privilege.

Look at:

   http://www.his.com/~brad/sendmail/ (Sendmail FAQ)
   http://www.informatik.uni-kiel.de/%7Eca/email/english.html (Sendmail hints)

for much more detail on these subjects.

_______________________________________________________________________________
>From joey@q7.com

i've installed sendmail 8.7.5 and removed the smtp entry from passwd. no
problems that i can tell.
_______________________________________________________________________________
>From pobrien@cfa.harvard.edu
> That's crazy. The documentation for Sendmail V8 has a section
> on the issue of UID, and it's recommended that it be set to something
> harmless.
> .....................................................................
>
> No disagreement that it is crazy. Any suggestions as to what?
> (the same as nobody?)

Anything unique and non-privileged. In the documentation, they had a number
around 32,000.

_______________________________________________________________________________

So it is either essential or crazy and a number either 0 or around 32,000.

I am not less confused....

Jim Meritt

So what now?

Jim



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:10 CDT