mailing list archives
Re: Solaris /usr/bin/mailx exploit (SPARC)
From: woods () weird com (Greg A. Woods)
Date: Tue, 15 May 2001 14:00:13 -0400 (EDT)
[ On Tuesday, May 15, 2001 at 13:46:23 (+0200), Johann Klasek wrote: ]
Subject: Re: Solaris /usr/bin/mailx exploit (SPARC)
To correct slightly the picture of a set-gid mail environment:
set-gid has nothing to do with writing the inbox. It was in old days
(without todays 1000 permission) the only method to allow mail clients
the creation of .lock files and the inbox file itself in
/var/spool/mail. It was never necessary to let the inbox writeable for
group "mail" (of course, probably not true in very old System 7
environments). Therefore, a 600 permission does NOT implicate an
unnecessary group mail setup. The delivery into a mailbox is
accomplished with user (inbox owner) permission (derived from the set-
uid root MTA).
To correct that mis-information:
V7 used setuid-root /bin/mail for delivery (it was insecure)
A correct implementation of SysV mail with setgid-mail does
indeed require that mailboxes be writable by the group mail.
The system mailbox spool directory must not be world writable.
SysV mail is designed to eliminate *ALL* need for setuid-root!
By now you might have realised that SysV mail requires chown() to be
usable by non-root. If so then you're right. It's not compatible with
naive filesystem-based quotas. Pick one: a) root compromises, or b)
quotas. Actually, you don't have to -- you can implement mailbox quotas
in the mail delivery agent and you can put your mailbox directory on a
separate filesystem such that you don't have to use FS quotas there.
BSD's setuid-root mail subsystem is stupidly insecure, but many of us
do live with its risks every day..... :-(
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>