Bugtraq mailing list archives
Re: Serious Linux 2.0.34 security problem
From: segv () SETEC ORG (Segv)
Date: Mon, 29 Jun 1998 12:22:32 -0400
There seems to be some more problems with mailx. While browsing over the source, I found the code that handles the '!' command. (this appears in names.c) if ((shell = value("SHELL")) == NOSTR) shell = SHELL; execl(shell, shell, "-c", fname, 0); As you can see the value() function returns a pointer to the value of (the envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash (consult local.h). Then execl() is called to execute the value that shell points too. So you can execute commands with sgid mail privs. One problem you may run into is shell's that drop privs if rgid != egid, so you could simply write a wrapper that calls setrgid(mail) then executes the specified command with sgid mail privs. Affected: system's that have mailx sgid mail. Thanks: aleph1 for his ideas. ----- segv <segv () setec org>
Current thread:
- Re: Serious Linux 2.0.34 security problem Segv (Jun 29)