Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!husc6!seismo!cmcl2!beta!unm-la!unmvax!hi!josh From: josh@hi.UUCP Newsgroups: comp.unix.questions Subject: Re: Why can't mail have unpost command Message-ID: <930@sonne.hi.uucp> Date: Wed, 25-Feb-87 13:18:06 EST Article-I.D.: sonne.930 Posted: Wed Feb 25 13:18:06 1987 Date-Received: Fri, 27-Feb-87 22:04:44 EST References: <1850@cit-vax.Caltech.Edu> <1712@druhi.UUCP> Reply-To: josh@sonne.UUCP (Josh) Organization: Univ. of New Mexico, Albuquerque Lines: 67 In article <1712@druhi.UUCP> clive@druhi.UUCP (Clive Steward) writes: >in article <1850@cit-vax.Caltech.Edu>, trent@cit-vax.Caltech.Edu (Ray Trent) says: >[...] >> Tell me, how do you prevent someone from simply coming in and 'canceling' >> someone else's mail, reading the return copy, and resending it? That is, >> unless you want to rewrite mail to pass along a password or something. >[...] > >Well, I think you certainly have a point worth looking into, Ray. > >Let's consider. On a given machine, there will be only one user with a >given (usable->first in /etc/passwd) userid. And no (non-root) way to >fake one. > >Also, mail headers contain this information, in the path from which the >mail came. > >Further, we already have server access control, in the current way >mail works. > >It seems to me then, that a simple addition to the server can >easily and securely know which pieces of mail, if any, a given >(local or remote) requester deserves to cancel. > >And that no one can beat this, unless they have root (or mail) >privileges, and furthermore, on the recipient's machine. > >It's late, so maybe I'm wrong. What do you think? > > >Clive Well, again... Let's consider. The unpost could be made secure over a ethernet by using a set of rcmd (like rlogin) so that a root on one machine cannot kill any mail sent from a user on a different machine. On the other hand I still can kill any mail sent from the machine I have root on to any other machine. Or is the restriction true at all about the fact that root on one machine cannot remove mail from another machine? How 'bout the following? Person X as a PC. Person Y has a sun. X is system manager on system Z. X see's Y using root to break into other machines and sends mail to the "authorities" on machine W and then goes to lunch (after turning off the PC). Y then waits for the arp table on W to clear the entry for X's PC. THEN, changes his name to the name X's PC uses and clears the letter X sent to the "authorities". He then changes it back to his own name. This gives him time to erase some of the evidence against him. I know this is a bad example because X would walk over to the "authorities" after lunch to see what they thought but it gets the point across. X could also be a sun and Y on a PC since I have been told (but have not seen it done) that it is not to hard to bring down a machine over the ethernet without root. Also, what if the letter goes over UUCP. Now it is easy. If I also talk to the machine via UUCP then I can just change my name, log in to my own account via UUCP and cancel his mail. In all... I think the whole system could be made almost secure but I would not like a clever hacker blowing away my mail. How do I "unpost"? I 'su' and vi(1) his mail file! :-) --Josh Siegel josh@hi.unm@hc.dspo.gov