Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!mcsun!hp4nl!ruuinf!praxis!edwin From: edwin@praxis.cs.ruu.nl (Edwin Kremer) Newsgroups: comp.mail.elm Subject: Re: ** Serious Elm security hole + FIX ** Keywords: elm, $MAIL, read folder on startup Message-ID: <1727@ruuinf.cs.ruu.nl> Date: 22 Oct 89 20:56:21 GMT References: <1726@ruuinf.cs.ruu.nl> <1989Oct22.155409.3857@acd4.UUCP> Sender: news@ruuinf.cs.ruu.nl Lines: 35 In article <1989Oct22.155409.3857@acd4.UUCP> mjb@acd4.UUCP (Mike Bryan) writes: > We do not have the problem here. Our user mailboxes are setup with > permission "-rw-------", and /bin/mail is setup as setuid root, not > setgid mail. We are running Ultrix 3.1 and Ultrix 2.3; these are the > default permissions as supplied by DEC. Ah, but haven't we seen security flaws introduced by programs that were SUID to root and allowed shell escapes ?? One step forward to UNIX security is that you don't have programs SUID to root *unless* it's really necessary. I mean, if SGID can handle it, why use SUID ???? If there's a leak in a program, then the highest rank an intruder can become is that of group mail instead of user root. That's why I prefer SGID. > You neglected to say what flavor of UNIX you are using. Well, I mentioned HCX-UX 3.0 and HP-UX 6.5. Both are merely treatened as System V systems, with the BSD goodies thrown in. > I found another problem in Elm while checking out yours, however. If > a mail folder is specified which you cannot access (such as another > user's), Elm will not exit. It comes up saying the mailbox has 0 > entries (even though it has several). Right. I noticed that as well. This is because Elm doesn't do access check, sets up the screen, then notices that opening the mailbox fails. This is what happened when I dropped the SGID bit from Elm. Anyway, if you apply my patch, this strange behaviour will go away as well. --[ Edwin ]-- -- Edwin Kremer, Department of Computer Science, University of Utrecht Padualaan 14, P.O. Box 80.089, 3508 TB Utrecht, The Netherlands Phone : +31 - 30 - 534104 | Telefax: +31 - 30 - 513791 E-Mail: edwin@cs.ruu.nl | UUCP to: ...!hp4nl!ruuinf!edwin