Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!mcnc!idis!george From: george@idis.UUCP (George Rosenberg) Newsgroups: net.unix-wizards Subject: Re: Need help with mail security bug Message-ID: <271@idis.UUCP> Date: Sun, 1-Apr-84 11:06:26 EST Article-I.D.: idis.271 Posted: Sun Apr 1 11:06:26 1984 Date-Received: Tue, 3-Apr-84 19:58:12 EST References: pjscom.392, <270@idis.UUCP> utzoo.3691 Lines: 50 Errata to my article on Security and Integrity Problems with Mail That article contained the following caveat: "Everything here is based on my recall without going to the trouble of consulting sources or making tests." I pointed out that several of the problems I mentioned depended in part upon a writable mail spool directory. (They did not all depend on this.) I said: "I believe that the mail program was designed assuming that directory is publicly writable." Henry Spencer pointed out (utzoo.3691) that regarding this assumption I was confusing v7 /bin/mail with other versions of /bin/mail or other mailers. I believe he was correct about this. Apparently v7 /bin/mail does not make that assumption. In order to correct my article the above sentence (two occurrences) should be changed to: "I believe that mailer programs on some UNIX systems were designed assuming that directory is publicly writable. If you are certain that the mailers on your system do not need that directory to be publicly writable, you might want to protect the directory so that it is not publicly writable." Delete the following sentence from that article. "This list, for the most part will refer to v7 /bin/mail." The below sentences were in the article. "In such cases the protection of that file (mode) might be controlled by the person sending the mail. Combining this with 2. or 3. above could compromise the security (privacy) of that user's mail." Change them to the below sentence. "In such cases the protection of that file (mode) might have some liberal value which could compromise the security (privacy) of that user's mail." George Rosenberg idis!george