Re: Serious Linux 2.0.34 security problem

[segv () SETEC ORG (Segv)]

There seems to be some more problems with mailx. While browsing over the
source, I found the code that handles the '!' command.
(this appears in names.c)

  if ((shell = value("SHELL")) == NOSTR)
        shell = SHELL;
   execl(shell, shell, "-c", fname, 0);

As you can see the value() function returns a pointer to the value of (the
envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash
(consult local.h). Then execl() is called to execute the value that shell
points too. So you can execute commands with sgid mail privs. One problem
you may run into is shell's that drop privs if rgid != egid, so you could
simply write a wrapper that calls setrgid(mail) then executes the specified
command with sgid mail privs.

Affected: system's that have mailx sgid mail.
Thanks: aleph1 for his ideas.

-----

segv
<segv () setec org>