Bugtraq mailing list archives
Re: Solaris /usr/bin/mailx exploit (SPARC)
From: Dan Astoorian <djast () cs toronto edu>
Date: Tue, 15 May 2001 09:29:37 -0400
On Mon, 14 May 2001 04:24:10 EDT, Casper Dik writes:
By forcing a file permission of 600 on mailboxes, group mail should not gain you anything.
Under some older Solaris releases (e.g., including 2.5.1), the /etc/mail directory belongs to group mail and is group-writable, by default; that'll gain you plenty. Sun has fixed this in recent releases, but if you're running a backrev OS, it would be wise to "chmod g-w /etc/mail" (or remove the setgid bit from all utilities in group mail). /var/mail/:saved is also writable by group mail by default--even under Solaris 8. (/bin/[r]mail allegedly uses this directory "for holding temp files to prevent loss of data in the event of a system crash"; does it do so safely, or might gaining gid-mail open up symlink attacks?) -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast () cs toronto edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
Current thread:
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Andrew Hilborne (May 15)
- MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) Rich Lafferty (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Dan Astoorian (May 15)
- <Possible follow-ups>
- Re: Solaris /usr/bin/mailx exploit (SPARC) Tobias J. Kreidl (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 18)
- Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Wietse Venema (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 18)
- Re: Mail delivery privileges Peter W (May 19)
- Re: Mail delivery privileges Henrik Nordstrom (May 19)
- Re: Mail delivery privileges David Wagner (May 21)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Cy Schubert - ITSD Open Systems Group (May 19)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)