Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Unsafe assumptions (Re: Mail delivery...)
From: Marcus Meissner <Marcus.Meissner () caldera de>
Date: Sat, 19 May 2001 22:14:51 +0200

On Sat, May 19, 2001 at 02:07:47PM +0200, Olaf Titz wrote:
local delivery agent(s).  After all that's all you've got with "*.lock"
files, since they too are only advisory locks.  Putting them into the
kernel simply makes it possible to eliminate the risk of a mode 01777
spool directory.  (The risk is already quite low of course if you
pre-create all mailbox spool files, and especially if you write careful
lock validation code in the local delivery agent.  Kernel locks simply
make the code for safe local delivery less complex.)

Not quite. Any scheme which relies on pre-existing mailboxes would
also have to make sure that the owner of the mailbox cannot remove it.
This means not only standard MUAs but also "rm", "mv"[1], accidental
mistakes or user-installed MUAs. As I see it this is pretty much
impossible to guarantee.

So reliance on pre-existing mailboxes is inherently unsafe because it
relies on assumptions which can not be guaranteed, regardless of
useradd programs etc.

The solution to that is very simple:

- Create /var/mail/ with mode 775, root.mail owned.
- Write a small helper program, which is setgid mail, which just touches
  a file with the calling users username in /var/mail/.

In fact, we use the appended helper (setgid mail) in Caldera OpenLinux now.

Ciao, Marcus
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm () caldera de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux

Attachment: createmailfolder.c

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]