Bugtraq mailing list archives
Re: Solaris /usr/bin/mailx exploit (SPARC)
From: woods () weird com (Greg A. Woods)
Date: Tue, 15 May 2001 13:09:21 -0400 (EDT)
[ On Monday, May 14, 2001 at 10:24:10 (+0200), Casper Dik wrote: ]
Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) I'm not sure why all of the Solaris mail programs are actually set-gid mail.
then you should learn! there are very good reasons for this! But don't try to learn from solaris itself -- learn from its roots! Solaris has a horribly twisted and broken local mail architecture now.
If you strip set-gid mail from /usr/bin/mail,, /usr/bin/mailx, /usr/SUNWale/bin/mailx, /usr/dt/bin/dtmail, /usr/dt/bin/dtmailpr, /usr/openwin/bin/mailtool nothing should break. (At least not if you /var/mail directory has the standard 1777 permissions)
That's NOT the way SysV mail was designed to work! It was *designed* to work with setgid-mail! It was *designed* to never require root privileges in the mail delivery system and in a proper implementation it doesn't! Using 1777 permissions opens up a whole new can of worms and *requires* (at least generically) that all mailboxes be created *before* the corresponding account is created. The problem is that mailx was never really corrected in Solaris (either that or it was and then subsequent merges of new BSD code over-wrote the fixes). (mailx of course being based on the much older design of the BSD mail system, which was of coursed base on the original and insecure v7 mail system.)
By forcing a file permission of 600 on mailboxes, group mail should not gain you anything.
If you can do that then that suggests the local delivery agent is also broken and may be using root privileges! It should *NOT* (at least not for the SysV mailbox design). The idea is that a compromise of the mail subsystem, i.e. group mail, should only ever give access to just mailboxes (and not even any of the programs themselves), and nothing more, unlike the older v7 mail system where a compromise was equivalent of a total superuser compromise. Too bad modern systems went backwards in this respect and still often leave mail systems running as root. Even as far back as SysIII (i.e. 1980) there's clear evidence that the entire AT&T UNIX mail system was leaning far away from using root privileges and would work entirely with just setgid. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Andrew Hilborne (May 15)
- MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) Rich Lafferty (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Dan Astoorian (May 15)
- <Possible follow-ups>
- Re: Solaris /usr/bin/mailx exploit (SPARC) Tobias J. Kreidl (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 18)
- Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Wietse Venema (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 18)
- Re: Mail delivery privileges Peter W (May 19)
- Re: Mail delivery privileges Henrik Nordstrom (May 19)
- Re: Mail delivery privileges David Wagner (May 21)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)