>> the only way to become root (that I know of) is to log in at
>> the console, or log in as a user in group wheel and su.
>
>How about a setuid process?  /usr/sbin/sendmail is setuid.

yes, it is.  but it knows it is, and calls getuid and geteuid
accordingly.

>Maybe there's a way to run the existing sendmail binary which would
>cause it to connect to the daemon, thus generating the log message
>you observed.

not that i know of.  the only way i can see to get it to say
"root@localhost" and not give an address (as in a tcp connection) is
to run it from the command line.  if it connects to the daemon, ip is
involved and you will have an associated address.

>That would account for your log that shows an action by root from the
>local host without any log of anyone actually becoming root.
>
>You might try playing with sendmail in command-line mode a little and
>see if you can get it to do the same thing.  Maybe something as simple
>as trying to send a mail message and interrupting it before you finish.

if you start sendmail with recipients instead of -bs (or with -t
instead of recipients) it will open a qfile (after assigning a qid)
and start an outbound message that is assumed to be completed when you
quit.  if you were to kill sendmail instead of finishing the message
(don't even type anything), you'd have qfiles left over but nothing
logged at all.

>Even if this isn't the answer, you might want to check for other
>setuid executables and see if they all look ok.

something sent mail...or tried to and gave up.  no idea what...

-- 
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."