|
Bugtraq
mailing list archives
Re: more problems with mailx
From: nathan () RTFM NET (Nathan Dorfman)
Date: Tue, 30 Jun 1998 19:31:35 -0400
On Mon, Jun 29, 1998 at 12:22:32PM -0400, Segv wrote:
There seems to be some more problems with mailx. While browsing over the
source, I found the code that handles the '!' command.
(this appears in names.c)
if ((shell = value("SHELL")) == NOSTR)
shell = SHELL;
execl(shell, shell, "-c", fname, 0);
As you can see the value() function returns a pointer to the value of (the
envoriment variable) SHELL. If SHELL isn't set it defaults to /bin/bash
(consult local.h). Then execl() is called to execute the value that shell
points too. So you can execute commands with sgid mail privs. One problem
you may run into is shell's that drop privs if rgid != egid, so you could
simply write a wrapper that calls setrgid(mail) then executes the specified
command with sgid mail privs.
Nope. Check out main.c, line 56:
/*
* Absolutely the first thing we do is save our egid
* and set it to the rgid, so that we can safely run
* setgid. We use the sgid (saved set-gid) to allow ourselves
* to revert to the egid if we want (temporarily) to become
* priveliged.
*/
effectivegid= getegid();
realgid= getgid();
if (setgid(realgid) <0) { perror("mailx: setgid real"); exit(1); }
Now it's running with whatever priveleges you had. It switches back to
these priveleges in lock.c when it needs them, then immediately switches
back.
segv
<segv () setec org>
--
________________ ___________________________________________
/ Nathan Dorfman \ / "My problems start when the smarter bears
/ nathan () rtfm net \/ and the dumber visitors intersect."
/ finger for PGP key \ Steve Thompson, Yosemite wildlife biologist
 By Date 
By Thread
Current thread:
- Re: more problems with mailx Nathan Dorfman (Jun 30)
| 
Intro
