On Mon, Jun 29, 1998 at 12:22:32PM -0400, Segv wrote:
> There seems to be some more problems with mailx. While browsing over the
> source, I found the code that handles the '!' command.
> (this appears in names.c)
>
> if ((shell = value("SHELL")) == NOSTR)
> shell = SHELL;
> execl(shell, shell, "-c", fname, 0);
>
> As you can see the value() function returns a pointer to the value of (the
> envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash
> (consult local.h). Then execl() is called to execute the value that shell
> points too. So you can execute commands with sgid mail privs. One problem
> you may run into is shell's that drop privs if rgid != egid, so you could
> simply write a wrapper that calls setrgid(mail) then executes the specified
> command with sgid mail privs.
Nope. Check out main.c, line 56:
/*
* Absolutely the first thing we do is save our egid
* and set it to the rgid, so that we can safely run
* setgid. We use the sgid (saved set-gid) to allow ourselves
* to revert to the egid if we want (temporarily) to become
* priveliged.
*/
effectivegid= getegid();
realgid= getgid();
if (setgid(realgid) <0) { perror("mailx: setgid real"); exit(1); }
Now it's running with whatever priveleges you had. It switches back to
these priveleges in lock.c when it needs them, then immediately switches
back.
> segv
> <segv_at_setec.org>
--
________________ ___________________________________________
/ Nathan Dorfman \ / "My problems start when the smarter bears
/ nathan_at_rtfm.net \/ and the dumber visitors intersect."
/ finger for PGP key \ Steve Thompson, Yosemite wildlife biologist
Received on Jul 01 1998
Intro
