/bin/mail...

[pug () arlut utexas edu (Pug)]

Good Morning,

  After playing with the race condition this morning, I honestly don't
  see how the patch made it worse. (Unless I've got the scripts
  backwards.) The first exploit allowed you to create or append to any
  file. The second exploit only allows you to create any file. Yeah, it
  probably makes people feel more secure, but it's silly if they feel
  safe. So, after the patch, you can atleast not append to /etc/passwd
  or whatever. As well, it seems that if there is an alias for the 0 UID
  user, the problem doesn't exist. (Atleast I didn't see an option for
  not doing an alias with binmail. I could be wrong.) As well, even if
  you could write to /etc/passwd (/etc/shadow) it doesn't parse past
  bogus lines. (ie. the mail headers) 

  Please let me know if I'm wrong in any of these statements.

Ciao,

-- 
Richard Bainter          Mundanely     |    System Analyst        - OMG/CSD
Pug                      Generally     |    Applied Research Labs - U.Texas
          pug () arlut utexas edu         |    pug () bga com
Note: The views may not reflect my employers, or even my own for that matter.