Newsgroups: comp.unix.internals Path: utzoo!telly!eci386!woods From: woods@eci386.uucp (Greg A. Woods) Subject: Re: non-superuser chown(2)s considered harmful Message-ID: <1990Dec14.171022.4992@eci386.uucp> Summary: they sure seem useful to me! Keywords: chown, mail Reply-To: woods@eci386.UUCP (Greg A. Woods) Organization: Elegant Communications, Inc. References: <18792@rpp386.cactus.org> <2800:Dec1001:29:4890@kramden.acf.nyu.edu> <1990Dec11.005644.20688@cbnewsk.att.com> <1990Dec11.203632.7402@chinet.chi.il.us> Date: Fri, 14 Dec 90 17:10:22 GMT In article <1990Dec11.203632.7402@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: > In article <1990Dec11.005644.20688@cbnewsk.att.com> hansen@pegasus.att.com (Tony L. Hansen) writes: > >The mail(1) command uses chown(2) and set-gid to give a secure mail system. I > >feel that other methods are fraught with potential security holes. > > Are you talking about the same SysV /bin/mail that I have (AT&T SysVr3) > that uses the environment variable LOGNAME to decide who you are > and allows you to forward your mail with the command: > mail -F new_address > > If you are, try: > MAIL=/usr/mail/you LOGNAME=you mail -F me > (replace "you" with someone else on the system who happens to have an > empty mailbox, and "me" with your login name) > > Then tell me if you would still describe the system as secure. $ uname -a eci386 eci386 1.0.6 1 80386 $ # [That's 386/ix, an AT&T System V Release 3.0 derivative] $ ls -l /usr/mail/chris -rw-rw---- 1 chris mail 0 Nov 4 12:59 /usr/mail/chris $ # [binmail is the real mail, mail is svbinmail from smail-2.5] $ ls -l /bin/binmail -rwxr-sr-x 2 bin mail 49208 Jun 2 1988 /bin/binmail $ what /bin/binmail /bin/binmail: cb:mail 386/ix Version 1.0.6 $ MAIL=/usr/mail/chris LOGNAME=chris /bin/binmail -F woods binmail: Invalid permissions binmail: Cannot install/remove forwarding without empty mailfile $ ls -l /usr/mail/chris -rw-rw---- 1 chris mail 0 Nov 4 12:59 /usr/mail/chris $ ls -l /usr/mail/root -rw-rw---- 1 root mail 27820 Dec 12 05:18 /usr/mail/root $ MAIL=/usr/mail/root LOGNAME=root /bin/binmail -F woods binmail: Invalid permissions binmail: Cannot install/remove forwarding without empty mailfile $ Hmm... Yup, it seems secure to me! Doesn't mean non-superuser chown is OK, but IMHO it *is* not only OK, but useful! -- Greg A. Woods woods@{eci386,gate,robohack,ontmoh,tmsoft}.UUCP ECI and UniForum Canada +1-416-443-1734 [h] +1-416-595-5425 [w] VE3TCP Toronto, Ontario CANADA Political speech and writing are largely the defense of the indefensible-ORWELL