Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)

[wietse () porcupine org (Wietse Venema)]

I wrote:
> Local mail delivery crosses the mail-to-user boundary in several
> places. Assuming traditional UNIX user/group/other permissions and
> uid/gid-based privileges, and the traditional /var/mail, aliases
> and .forward interface with user-specified shell commands:
>
> 1 - Appending mail to mailbox. This can be done securely by
> nobody:mail provided that the mailbox has group write permission.
> But that is only the easy part.
>
> 2 - Lock file management. If mail is delivered as nobody:mail, then
> /var/mail/username.lock files are owned by user nobody.  This means
> you can't use mode 1777 /var/mail permissions [...]

Several people pointed out that username.lock files can be eliminated
from the equation.  That may be the case on their specific systems.
However, many systems in the real world do require username.lock
files as part of their local mail delivery interface.  Simply
calling those systems "obsolete" does not make them go away.

Some suggested changes to the the mail-to-user interface.  That
interface can certainly stand improvement. However, such comments
are outside the scope of the argument: whether or not unprivileged
local delivery as nobody:mail provides security without loss of
features. 

In a world that requires username.lock files, one would have to
cheat and use privileged mail user agents. In a world that expects
that people can specify arbitrary shell commands in ~user/.forward
files, one would have to cheat and use privileged helper programs.

        Wietse