Check out the new USENIX Web site.

Sendmail without the Superuser

Mark E. Carson
Secure Workstations Department
IBM Federal Sector Company, 182/3F42
Gaithersburg, MD 20879


As an exercise in the application of the concept of least privilege, we have modified the pieces of an ordinary UNIX* mail system, sendmail in particular, to require little or no privilege in their operation. No mail code runs with root or system IDs. In fact, the simplest configuration (local-only mail, with or without mandatory access controls) can run with no privilege or special access rights whatsoever, while even the most complex (multilevel network mail) can be done with minimal privilege requirements. While such modifications cannot guarantee the absence of security holes in mail, they should greatly limit their possible scope.

Download the full text of this paper in ASCII form (19,226 bytes).

To Become a USENIX Member, please see our Membership Information.