Xref: utzoo comp.unix.internals:1293 comp.mail.sendmail:2470
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!lavaca.uh.edu!menudo.uh.edu!sugar!ficc!peter
From: peter@ficc.ferranti.com (Peter da Silva)
Newsgroups: comp.unix.internals,comp.mail.sendmail
Subject: Re: non-superuser chown(2)s considered harmful
Keywords: chown security quota BSD SYSV
Message-ID: <KN.7QRD@xds13.ferranti.com>
Date: 7 Dec 90 23:02:50 GMT
References: <1990Dec5.135759.12508@noao.edu> <1990Dec6.005358.6336@dg-rtp.dg.com> <109958@convex.convex.com> <1990Dec7.032340.13531@mp.cs.niu.edu>
Reply-To: peter@ficc.ferranti.com (Peter da Silva)
Organization: Xenix Support, FICC
Lines: 17

In article <1990Dec7.032340.13531@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes:
>  I wonder whether 'sendmail' checks for this.  If the system aliases
> file contains :include:/path/name   as an alias, when the alias is
> expanded 'sendmail' uses the permissions of the owner of the :include:
> file for aliases such as "|program".

That's a bug in sendmail. Is anyone surprised?

After all, you can always fake it out by sending mail to your target with
appropriate lines in it, then set your aliases file to point to their mailbox
file (/usr/mail/user)...

Who else can think of a hole like this?

> If SystemV versions of 'sendmail' ...

What a horrible idea!
-- 
Peter da Silva.   `-_-'
+1 713 274 5180.   'U`
peter@ferranti.com