mailing list archives
Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)
From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 18 May 2001 21:04:33 -0400
In message <20010518203508.DCF0EC3 () proven weird com>, Greg A. Woods writes:
Personally I'm loathe to allow ordinary users to specify delivery to
programs in the first place, and forcing them at minimum to arrange for
their mail filters to run unprivileged seems like a very small price to
pay. I seem to recall this was the solution taken by the AT&T UPAS
mailer delivered as the default mailer on native UNIX System V Release 4.
That's certainly the way it works on Plan 9:
If the file /mail/box/username/pipeto exists and is read-
able and executable by everyone, it will be run for each
incoming message for the user. The message will be piped
to it rather than appended to his/her mail box. The file
is run as user `none'.
That's more an artifact of Plan 9 than of upas -- upas on Unix did
support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I
recall) of superuser, so it can't do that. And while there are
certainly security issues with delivery to programs (that's why
sendmail had to implement smrsh), not having write ability to per-user
files causes problems for programs like 'vacation'.
--Steve Bellovin, http://www.research.att.com/~smb
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Steven M. Bellovin (May 19)