Sendmail without the Superuser
Mark E. Carson
Secure Workstations Department
IBM Federal Sector Company, 182/3F42
Gaithersburg, MD 20879
As an exercise in the application of the concept of least privilege,
we have modified the pieces of an ordinary UNIX* mail system, sendmail
in particular, to require little or no privilege in their operation.
No mail code runs with root or system IDs. In fact, the simplest
configuration (local-only mail, with or without mandatory access
controls) can run with no privilege or special access rights whatsoever,
while even the most complex (multilevel network mail) can be done with
minimal privilege requirements. While such modifications cannot
guarantee the absence of security holes in mail, they should greatly
limit their possible scope.
Download the full text of this paper in
ASCII form (19,226 bytes).
To Become a USENIX Member, please see our