Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!mcsun!hp4nl!ruuinf!praxis!edwin From: edwin@praxis.cs.ruu.nl (Edwin Kremer) Newsgroups: comp.mail.elm Subject: ** Serious Elm security hole + FIX ** Keywords: elm, $MAIL, read folder on startup Message-ID: <1726@ruuinf.cs.ruu.nl> Date: 21 Oct 89 21:10:42 GMT Sender: news@ruuinf.cs.ruu.nl Organization: University of Utrecht, Department of Computer Science. Lines: 125 Yesterday I discovered a nasty hole in the Elm security that would let anybody read no matter whose mailbox. This behaviour only occurs if you're running a Elm version that is SGID to e.g. group "mail". The following scenario took place at our site. For your information, our affected systems were: Harris HCX-9, HCX/UX 3.0, Elm 2.2 PL11 HP9000/370, HP-UX 6.5, Elm 2.2 PL11 HP9000/340, HP-UX 6.5, Elm 2.2 PL11 Imagine the following situation. The mail delivery agent is Sendmail that uses "/bin/mail" (from now on referenced as BINMAIL) for local delivery. The mail spool directory is '/usr/mail' and has permissions: drwxrwxr-x 2 bin mail 5120 Oct 21 19:51 /usr/mail User mailboxes have permissions like: -rw-rw---- 1 edwin mail 2813 Oct 21 17:31 /usr/mail/edwin -rw-rw---- 1 root mail 1069 Oct 19 13:34 /usr/mail/root BINMAIL has permissions: -r-xr-sr-x 2 bin mail 102400 Feb 17 1989 /bin/mail Elm has permissions: -rwxr-sr-x 1 root mail 266240 Oct 21 21:49 /local/bin/elm So far, so good. The mail spool directory '/usr/mail' must be writeble by group 'mail' in order to: 1) allow the local delivery mailer BINMAIL to create user mailboxes, 2) allow BINMAIL to create its lock files e.g. '/usr/mail/edwin.lock' The user mailboxes must be writable by group 'mail' as well in order to allow the local delivery mailer BINMAIL to write user mailboxes. The same story goes for Elm, it must read/write user mailboxes and it should use a BINMAIL like locking mechanism. Well, to achieve this, both BINMAIL and Elm are usually SGID to 'mail'. This also implies that both programs *may* be able to read all mailboxes, but the *real* permission checking mechanism in these programs usually prevents unwanted situations like these. Ok, now let's concentrate on Elm: it *really* checks if you've permission to read a mailbox, using the REAL GROUPID instead of the EFFECTIVE groupid (you may wish to check this by issuing a C)hange folder command to e.g. '/usr/mail/root' ==> Elm won't let you read it). Ok, now this is where we fail: Elm does not check permissions on the DEFAULT MAILBOX FILE at startup, this one is opened for reading anyway !!!!! Still no trouble uh, that file is '/usr/mail/my_login_name', right ?? Maybe, but Elm checks the environment variable MAIL first. Suppose I issue the following commands from my C-shell: % whoami edwin % setenv MAIL /usr/mail/root % elm ....... Wow, no access checking is done and I can read anyone's mailbox just by setting $MAIL to another value and invoking Elm after doing so... Well, I hope the Elm Development Group will comment on this. Meanwhile I suggest all system administrators to check out their Elm behaviour and apply the patch below if needed. Good luck. --[ Edwin ]-- #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** init.c.ORIG Sat Oct 21 21:15:29 1989 --- init.c Sat Oct 21 21:18:29 1989 *************** *** 269,276 **** exit(0); } ! /* check for permissions only if not default mail file */ ! if(strcmp(requestedmfile, defaultfile) != 0) { if ((errno = can_access(requestedmfile, READ_ACCESS))) { dprint(1, (debugfile, "Error: given file %s as folder - unreadable (%s)!\n", --- 269,279 ---- exit(0); } ! /* ! * ALWAYS check for permissions on the mail file, even if ! * it's the default mailbox because users may fake another ! * default mailbox by setting their environment variable MAIL. ! */ if ((errno = can_access(requestedmfile, READ_ACCESS))) { dprint(1, (debugfile, "Error: given file %s as folder - unreadable (%s)!\n", *************** *** 280,286 **** Raw(OFF); exit(1); } - } /** check to see if the user has defined a LINES or COLUMNS value different to that in the termcap entry (for --- 283,288 ---- #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Edwin Kremer, Department of Computer Science, University of Utrecht Padualaan 14, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands Phone : +31 - 30 - 534104 | Telefax: +31 - 30 - 513791 E-Mail: edwin@cs.ruu.nl | UUCP to: ...!hp4nl!ruuinf!edwin