Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Mail delivery privileges
From: daw () mozart cs berkeley edu (David Wagner)
Date: 4 Jun 2001 06:48:32 GMT

David Wagner wrote:
Peter W  wrote:
To protect users from each others' ~/.forward instructions, it is necessary,
as Wietse said, for the delivery agent to start with superuser privileges.

[...] Imagine: ~/.forward-program could be a
setuid executable, owned by the user, and a non-root delivery
agent could exec() the relevant ~/.forward-program. [...] What am I missing?

Many folks responsed privately (thanks, all!).  Here's a summary.

 - It doesn't work if home directories are on a partition mounted nosetuid.
   (Fix: Put the .forward-program elsewhere.)
 - You have to be very careful when writing a setuid ~/.forward-program.
 - Writeable home directories are very dangerous.  (Agreed.)
 - A more problematic issue is that a malicious user can gain access to
   the uid that the delivery agent runs under by calling setuid(2)
   or by simply stripping the setuid bit off of their ~/.forward-program.
   (Uh oh...)

I must admit that I had not anticipated this last attack, which is
a very serious threat.  It seems to me that it might be possible to
defend against this attack, if the appropriate mail delivery agent
runs under a 'nobody'-like uid with absolutely no privileges.  However,
this may be tricky to configure safely, and the fact that I overlooked
one subtle attack leaves some reason to be concerned that there may be
other even more subtle attacks lurking in the shadows.  I think we can
say that it might be possible to make my proposal work, but the details
appear to be non-trivial.

Thanks to Peter W., Greg Woods, Chris Siebenmann, Emmanuel Galanos,
Steve Bellovin, Henrik Nordstrom, and Roman Werpachowski for comments.

  By Date           By Thread  

Current thread:
  • Re: Mail delivery privileges David Wagner (Jun 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]