Xref: utzoo comp.bugs.sys5:1379 comp.unix.internals:1595
Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!casbah.acns.nwu.edu!accuvax.nwu.edu!midway!gargoyle!chinet!les
From: les@chinet.chi.il.us (Leslie Mikesell)
Newsgroups: comp.bugs.sys5,comp.unix.internals
Subject: Re: empty mailbox deletion and /bin/mail forwarding bug (was: non-superuser chown(2)s considered harmful)
Keywords: chown, mail
Message-ID: <1990Dec21.165501.27889@chinet.chi.il.us>
Date: 21 Dec 90 16:55:01 GMT
References: <1990Dec14.171022.4992@eci386.uucp> <1990Dec16.221025.24838@chinet.chi.il.us> <1990Dec20.182455.17753@eci386.uucp>
Organization: Chinet - Public Access UNIX
Lines: 26

In article <1990Dec20.182455.17753@eci386.uucp> woods@eci386.UUCP (Greg A. Woods) writes:

>OOPS!  You're right!  It does let me steal a user's (potential) mail!

>> IMHO it would be just as useful if it didn't chown the forwarding file
>> but left it owned by the uid that actually gave the command.

>That might be a partial hack to at least show the culprit, but the
>correct one is to check if you are the right person before blindly
>doing such a drastic thing as forwarding.  Seems to me that it's a
>simple bug that needs fixing, and it certainly doesn't have anything
>to do with non-root chown(2)'s being harmful!

But wait - there's more!
  At least one of the replacement mailers will:
  (A) allow forwarding to programs when "|command" is found in the
      forwarding file.
  (B) run the program under the uid of the recipient of the message.
  (C) perform a security check before doing (B), based on the ownership
      of the forwarding file.

These add up to a serious problem that wouldn't exist if the ownership
of a file meant that either the owner or root wanted it that way.

Les Mikesell
  les@chinet.chi.il.us