Path: utzoo!utgpu!attcan!uunet!ginosko!gem.mps.ohio-state.edu!tut.cis.ohio-state.edu!ucsd!ames!amdahl!pacbell!dsinc!syd From: syd@DSI.COM (Syd Weinstein) Newsgroups: comp.mail.elm Subject: Re: ** Serious Elm security hole + FIX ** Keywords: elm, $MAIL, read folder on startup Message-ID: <1989Oct22.222227.27140@DSI.COM> Date: 22 Oct 89 22:22:27 GMT References: <1726@ruuinf.cs.ruu.nl> Reply-To: syd@DSI.COM Organization: Datacomp Systems, Inc. Huntingdon Valley, PA Lines: 35 edwin@praxis.cs.ruu.nl (Edwin Kremer) writes: >Yesterday I discovered a nasty hole in the Elm security that would >let anybody read no matter whose mailbox. This behaviour only occurs >if you're running a Elm version that is SGID to e.g. group "mail". [...] >Well, I hope the Elm Development Group will comment on this. Meanwhile >I suggest all system administrators to check out their Elm behaviour >and apply the patch below if needed. Good luck. Before I even saw this news article, my mailbox had a message from one of my local sites stating that the supplied patch will not work. It actually works too well. it causes you to get the message even in send only mode. (ie elm user@host). Patch 12 is already cut and awaiting testing feedback before being posted. This security hole will be fixed in patch 13. Our official patch will, hopefully, work for send only mode and the default mailbox. We will also attempt to see if any of the utilities have similar problems. Due to the nature of this hole, and the fact that Edwin reported it to the net first, before we could get a fix ready, we will expidite the patch. Please, for security problems, please let the vendor or author know first so a work around or patch can be derived, before making it public. If, indeed, the vendor or author is uncooperative, then by all means embarrass them, however, in this case, this is the first we heard of this problem. Now for what sites are effected: USG type sites are effected. BSD type are not. -- ===================================================================== Sydney S. Weinstein, CDP, CCP Elm Coordinator Datacomp Systems, Inc. Voice: (215) 947-9900 syd@DSI.COM or {bpa,vu-vlsi}!dsinc!syd FAX: (215) 938-0235