Bugtraq mailing list archives
Re: Solaris /usr/bin/mailx exploit (SPARC)
From: woods () weird com (Greg A. Woods)
Date: Tue, 15 May 2001 14:00:13 -0400 (EDT)
[ On Tuesday, May 15, 2001 at 13:46:23 (+0200), Johann Klasek wrote: ]
Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) To correct slightly the picture of a set-gid mail environment: set-gid has nothing to do with writing the inbox. It was in old days (without todays 1000 permission) the only method to allow mail clients the creation of .lock files and the inbox file itself in /var/spool/mail. It was never necessary to let the inbox writeable for group "mail" (of course, probably not true in very old System 7 environments). Therefore, a 600 permission does NOT implicate an unnecessary group mail setup. The delivery into a mailbox is accomplished with user (inbox owner) permission (derived from the set- uid root MTA).
To correct that mis-information: V7 used setuid-root /bin/mail for delivery (it was insecure) A correct implementation of SysV mail with setgid-mail does indeed require that mailboxes be writable by the group mail. The system mailbox spool directory must not be world writable. SysV mail is designed to eliminate *ALL* need for setuid-root! By now you might have realised that SysV mail requires chown() to be usable by non-root. If so then you're right. It's not compatible with naive filesystem-based quotas. Pick one: a) root compromises, or b) quotas. Actually, you don't have to -- you can implement mailbox quotas in the mail delivery agent and you can put your mailbox directory on a separate filesystem such that you don't have to use FS quotas there. BSD's setuid-root mail subsystem is stupidly insecure, but many of us do live with its risks every day..... :-( -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Andrew Hilborne (May 15)
- MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) Rich Lafferty (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Dan Astoorian (May 15)
- <Possible follow-ups>
- Re: Solaris /usr/bin/mailx exploit (SPARC) Tobias J. Kreidl (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 18)
- Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Wietse Venema (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 18)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)