Sendmail Without the Superuser

As an exercise in the application of the concept of least privilege, we have modified the pieces of an ordinary UNIX mail system, sendmail in particular, to require little or no privilege in their operation. No mail code runs with root or system IDs. In fact, the simplest configuration (local-only mail, with or without mandatory access controls) can run with no privilege or special access rights whatsoever, while even the most complex (multilevel network mail) can be done with minimal privilege requirements. While such modifications cannot guarantee the absence of security holes in mail, they should greatly limit their possible scope.