Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!wuarchive!texbell!vector!attctc!jdoss From: jdoss@attctc.Dallas.TX.US (Joe M. Doss, Jr.) Newsgroups: comp.os.minix Subject: Re: Wmail 2.6 (Posted for F. van Kempen; I haven't looked at it) Message-ID: <10093@attctc.Dallas.TX.US> Date: 9 Nov 89 03:47:11 GMT References: <4465@ast.cs.vu.nl> <2148@prune.bbn.com> Reply-To: jdoss@attctc.Dallas.TX.US (Joe M. Doss, Jr.) Organization: The Unix(R) Connection BBS, Dallas, Tx Lines: 40 In article <2148@prune.bbn.com> rsalz@bbn.com (Rich Salz) writes: >In <4465@ast.cs.vu.nl> ast@cs.vu.nl (Andy Tanenbaum) writes: > >From the Makefile: >install: > ... > chown root.root $(BIN)/wmail > chmod 4555 $(BIN)/wmail > >Okay, so the sucker runs setuid root. GREAT! Look at the >dead_letter() function. It does, basically fopen(getenv("DEADLETTER"), "w"). > >So, all I need to is "DEADLETTER=/etc/passwd ; export DEADLETTER" and >arrange to fail a mail message of the right stuff. Yes, it does chown() >the file, so I can't just write my own /bin/su... > /r$ I haven't looked at this latest version yet, but the previous version didn't do any access() checking on saved mail files, either. Something like: [1]& s /etc/passwd worked from any account. I fixed it with minor changes by creating a group called "mail" and making the program setgid mail, no setuid. I changed /usr/spool/mail to be group mail with group write-bit set, and all the mail-files group mail with group write permission. About the only harm one could do that way is wipe out another user's mail file. I'll make the few changes to the newer version and post a patch in the next few days. This method with /bin/mail setgid mail is the way mail is done on this System-V machine, so I can't see a problem with the concept, at least. My implementation may have missed something obvious, but I've been using it about a week without a single problem. It certainly beats the security hole the mailer has as posted. ============================================================================== Disclaimer: The opinions above are my own, not my employer's Joe M. Doss, Jr. jmdst!jdoss@attctc.dallas.tx.us ==============================================================================