Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!julius.cs.uiuc.edu!ux1.cso.uiuc.edu!mp.cs.niu.edu!rickert From: rickert@mp.cs.niu.edu (Neil Rickert) Newsgroups: comp.unix.internals Subject: Re: non-superuser chown(2)s considered harmful Keywords: chown, mail Message-ID: <1990Dec16.033258.23616@mp.cs.niu.edu> Date: 16 Dec 90 03:32:58 GMT References: <2803@cirrusl.UUCP> <1990Dec14.150710.4273@mp.cs.niu.edu> <2807@cirrusl.UUCP> Organization: Northern Illinois University Lines: 41 In article <2807@cirrusl.UUCP> dhesi%cirrusl@oliveb.ATC.olivetti.com (Rahul Dhesi) writes: >In <1990Dec14.150710.4273@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil >Rickert) writes: > >> cd /usr/spool/mail >> touch dhesi >> chmod 777 dhesi > >> Now I own your mail box. > >I believe this problem was fixed going from 4.2BSD to 4.3BSD; if >I remember correctly, the mail delivery program forces the mailbox >to be owned by the user and not readable or writable by anybody else. I believe you will find that it does not change the permissions. Note the chmod I listed there, so that even if owner and group are changed by /bin/mail the mailbox is still public. Of course you can make it private again. But how many people go around regularly checking the permissions on their mailbox? The /bin/mail on a Sun 4.1 does not seem to change mailbox ownership. I have a guest account on such a system in which the admin changed my uid, and the result was I could not access my mailbox till I got him to fix the ownership. >If it doesn't, or if I'm remembering incorrectly, the security problem >is in the mail delivery program, *not* with the fact that the mail >directory itself is world-writable. We are assuming, of course, that >the sticky bit is set on the mail directory. > >I will grant you that a denial-of-service situation is still possible >by simply going to the mail directory and creating a file $USER.lock, Don't you consider this a problem? -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940