Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!usc!ucsd!ames!ncar!midway!gargoyle!chinet!les From: les@chinet.chi.il.us (Leslie Mikesell) Newsgroups: comp.unix.internals Subject: Re: non-superuser chown(2)s considered harmful Keywords: chown, mail Message-ID: <1990Dec14.172137.5388@chinet.chi.il.us> Date: 14 Dec 90 17:21:37 GMT References: <1990Dec11.005644.20688@cbnewsk.att.com> <1990Dec11.203632.7402@chinet.chi.il.us> <1990Dec13.192712.25225@cbnewsk.att.com> Organization: Chinet - Public Access UNIX Lines: 26 In article <1990Dec13.192712.25225@cbnewsk.att.com> hansen@pegasus.att.com (Tony L. Hansen) writes: >< Are you talking about the same SysV /bin/mail that I have (AT&T SysVr3) >Yes, that bug was once there, but has been since squashed in SVr4 mail. >Compare the small number of security problems in Sys V mail through the years >(always using setgid+chown) with the numerous security problems in BSD mail >through the years (using setuid-root, world-writable mail area, or various >other schemes). I'll take the setgid+chown any day. But those problems mostly relate to the additional functionality of those other mailers. SysV mail doesn't (and can't without being setuid root) offer to run pipes in my .forward file under my uid during delivery. It also happily takes my word that I am who I say I am. The "enhanced" /bin/mail that is supplied with AT&T's PMX-mailer products introduces a crude way of specifying programs as aliases and thus incurrs some new security problems. I suppose this is also "fixed in SysVr4" by disallowing any shell metacharacters in mail addresses. I fixed it by installing smail 3 and tossing the AT&T stuff, although it has some problems as well. In particular, its security checking is severely compromised by the /bin/mail behaviour I mentioned earlier and the fact that a setuid program can't determine (at least under sysV) the effective id of the invoker. But at least now if I find a problem I can fix it. Les Mikesell les@chinet.chi.il.us