Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)

[Lyle Seaman <lws () spinnakernet com>]

"Steven M. Bellovin" wrote:

> That's more an artifact of Plan 9 than of upas -- upas on Unix did
> support 'Pipe to'.  But Plan 9 has no notion of setuid nor (as I
> recall) of superuser, so it can't do that.  And while there are
> certainly security issues with delivery to programs (that's why
> sendmail had to implement smrsh), not having write ability to per-user
> files causes problems for programs like 'vacation'.

One of the features of AFS which was intended specifically for mail delivery
programs, was the notion of "insert-only" access rights which were distinct
from the ability to read files or directories.  It's a similar concept to
using the sticky bit on temp directories.  What it meant in practice was that
each user had a mail delivery directory which permitted anonymous insert (and
possibly lookup) but no other access.  This hypothetically allowed the mail
delivery program to run as nobody, but allowed anonymous email.  If you wanted
to prevent anonymous email, you would permit insertion only by authenticated
users, and thus internet mail delivery would run as "somebody".   Local mail
delivery ran with the permissions of the user doing the sending, naturally.

providing finer-grained access controls allows the use of finer, sharper,
application tools.  It's hard to build picture frames with a 5-pound sledge.