Re: Solaris /usr/bin/mailx exploit (SPARC)

[woods () weird com (Greg A. Woods)]

[ On Tuesday, May 15, 2001 at 13:46:23 (+0200), Johann Klasek wrote: ]
> Subject: Re: Solaris /usr/bin/mailx exploit (SPARC)
>
> To correct slightly the picture of a set-gid mail environment: 
>
> set-gid has nothing to do with writing the inbox. It was in old days
> (without todays 1000 permission) the only method to allow mail clients
> the creation of .lock files and the inbox file itself in
> /var/spool/mail. It was never necessary to let the inbox writeable for
> group "mail" (of course, probably not true in very old System 7
> environments). Therefore, a 600 permission does NOT implicate an
> unnecessary group mail setup. The delivery into a mailbox is
> accomplished with user (inbox owner) permission (derived from the set-
> uid root MTA).

To correct that mis-information:

        V7 used setuid-root /bin/mail for delivery  (it was insecure)

        A correct implementation of SysV mail with setgid-mail does
        indeed require that mailboxes be writable by the group mail.

        The system mailbox spool directory must not be world writable.

        SysV mail is designed to eliminate *ALL* need for setuid-root!

By now you might have realised that SysV mail requires chown() to be
usable by non-root.  If so then you're right.  It's not compatible with
naive filesystem-based quotas.  Pick one: a) root compromises, or b)
quotas.  Actually, you don't have to -- you can implement mailbox quotas
in the mail delivery agent and you can put your mailbox directory on a
separate filesystem such that you don't have to use FS quotas there.

BSD's setuid-root mail subsystem is stupidly insecure, but many of us
do live with its risks every day.....  :-(

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>