Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!att!tut.cis.ohio-state.edu!usenet.ins.cwru.edu!ncoast!allbery
From: allbery@NCoast.ORG (Brandon S. Allbery KB8JRR)
Newsgroups: comp.unix.internals
Subject: Re: non-superuser chown(2)s considered harmful
Message-ID: <1990Dec16.033912.10322@NCoast.ORG>
Date: 16 Dec 90 03:39:12 GMT
References: <2800:Dec1001:29:4890@kramden.acf.nyu.edu> <1990Dec11.005644.20688@cbnewsk.att.com> <1990Dec11.203632.7402@chinet.chi.il.us>
Reply-To: allbery@ncoast.ORG (Brandon S. Allbery KB8JRR)
Followup-To: comp.unix.internals
Organization: North Coast Public Access *NIX, Cleveland, OH
Lines: 24

As quoted from <1990Dec11.203632.7402@chinet.chi.il.us> by les@chinet.chi.il.us (Leslie Mikesell):
+---------------
| In article <1990Dec11.005644.20688@cbnewsk.att.com> hansen@pegasus.att.com (Tony L. Hansen) writes:
| >The mail(1) command uses chown(2) and set-gid to give a secure mail system. I
| >feel that other methods are fraught with potential security holes.
| 
| MAIL=/usr/mail/you LOGNAME=you mail -F me
+---------------

LOGNAME was used to (a) get your mail even while you're su'd and (b) get
around the fact that more than one login name can map to a given uid.  (Note
to SCO:  luids do *not* fix this, so don't get any stupid ideas.)  My guess is
that it should use LOGNAME only if its associated uid is the same as the real
uid (or luid, if available; arguably, one wants to read one's own mail from
under su in most cases).

I agree:  setgid /bin/mail was a very good idea with only that one fatal flaw.

++Brandon
-- 
Me: Brandon S. Allbery			    VHF/UHF: KB8JRR on 220, 2m, 440
Internet: allbery@NCoast.ORG		    Packet: KB8JRR @ WA8BXN
America OnLine: KB8JRR			    AMPR: KB8JRR.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery    Delphi: ALLBERY