Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris /usr/bin/mailx exploit (SPARC)

From: Dan Astoorian <djast () cs toronto edu>
Date: Tue, 15 May 2001 09:29:37 -0400
On Mon, 14 May 2001 04:24:10 EDT, Casper Dik writes:


By forcing a file permission of 600 on mailboxes, group mail should not
gain you anything.


Under some older Solaris releases (e.g., including 2.5.1), the /etc/mail
directory belongs to group mail and is group-writable, by default;
that'll gain you plenty.

Sun has fixed this in recent releases, but if you're running a backrev
OS, it would be wise to "chmod g-w /etc/mail" (or remove the setgid bit
from all utilities in group mail).

/var/mail/:saved is also writable by group mail by default--even under
Solaris 8.  (/bin/[r]mail allegedly uses this directory "for holding
temp files to prevent loss of data in the event of a system crash"; does
it do so safely, or might gaining gid-mail open up symlink attacks?)

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast () cs toronto edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican
Previous By Date Next
Previous By Thread Next

Current thread: