Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)
From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 18 May 2001 21:04:33 -0400

In message <20010518203508.DCF0EC3 () proven weird com>, Greg A. Woods writes:

Personally I'm loathe to allow ordinary users to specify delivery to
programs in the first place, and forcing them at minimum to arrange for
their mail filters to run unprivileged seems like a very small price to
pay.  I seem to recall this was the solution taken by the AT&T UPAS
mailer delivered as the default mailer on native UNIX System V Release 4.
That's certainly the way it works on Plan 9:

      If  the file /mail/box/username/pipeto exists and is read-
      able and executable by everyone, it will be run  for  each
      incoming  message for the user.  The message will be piped
      to it rather than appended to his/her mail box.  The  file
      is run as user `none'.

That's more an artifact of Plan 9 than of upas -- upas on Unix did 
support 'Pipe to'.  But Plan 9 has no notion of setuid nor (as I 
recall) of superuser, so it can't do that.  And while there are 
certainly security issues with delivery to programs (that's why 
sendmail had to implement smrsh), not having write ability to per-user 
files causes problems for programs like 'vacation'.

                --Steve Bellovin, http://www.research.att.com/~smb

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]