Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!wuarchive!uunet!olivea!tymix!cirrusl!sunstorm!dhesi From: dhesi%cirrusl@oliveb.ATC.olivetti.com (Rahul Dhesi) Newsgroups: comp.unix.internals Subject: Re: non-superuser chown(2)s considered harmful Keywords: chown, mail Message-ID: <2807@cirrusl.UUCP> Date: 15 Dec 90 21:11:16 GMT References: <1990Dec11.203632.7402@chinet.chi.il.us> <1990Dec13.192712.25225@cbnewsk.att.com> <2803@cirrusl.UUCP> <1990Dec14.150710.4273@mp.cs.niu.edu> Sender: news@cirrusl.UUCP Organization: Cirrus Logic Inc. Lines: 43 In <1990Dec14.150710.4273@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > cd /usr/spool/mail > touch dhesi > chmod 777 dhesi > Now I own your mail box. I believe this problem was fixed going from 4.2BSD to 4.3BSD; if I remember correctly, the mail delivery program forces the mailbox to be owned by the user and not readable or writable by anybody else. If it doesn't, or if I'm remembering incorrectly, the security problem is in the mail delivery program, *not* with the fact that the mail directory itself is world-writable. We are assuming, of course, that the sticky bit is set on the mail directory. When there is a security problem caused by the combination of two things (e.g., 1. mail directory world-writable, 2. mail delivery program doesn't force mailbox security) one can't blame a lack of security on just one of those things The main problem with keeping mail directories world-not-writable and keeping mail user agents set-gid is that it becomes harder for Joe user to install his own user agent without the cooperation of the system administrator. You should not need any sysadmin support to read your own mail. I will grant you that a denial-of-service situation is still possible by simply going to the mail directory and creating a file $USER.lock, thus fooling all other mail programs into thinking that the mailbox is locked. The solution is for the mail delivery program to either not use this locking scheme (use flock instead), or to force an unlock if the lock file is too old. Actually, if everybody used flock, then you wouldn't need to make mail user agents set-gid, because they would never have to create any new files in the mail directory. Unfortunately, even our our super modern Suns, the default mail program uses a $USER.lock file, and I wouldn't be surprised if this is true on may other UNIX derivatives. -- Rahul Dhesi UUCP: oliveb!cirrusl!dhesi