Xref: utzoo comp.bugs.4bsd:880 comp.bugs.misc:169 comp.bugs.sys5:502 Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!rochester!pt.cs.cmu.edu!cadre!pitt!hoffman From: hoffman@pitt.UUCP (Bob Hoffman) Newsgroups: comp.bugs.4bsd,comp.bugs.misc,comp.bugs.sys5 Subject: Re: Hard Links between UNIX Utility Programs Keywords: unix links bsd sysv sys5 Message-ID: <3642@pitt.UUCP> Date: 29 Jul 88 18:53:41 GMT References: <184@chip.UUCP> <185@chip.UUCP> Reply-To: hoffman@vax.cs.pittsburgh.edu (Bob Hoffman) Organization: Univ. of Pittsburgh Computer Science Lines: 40 In article <185@chip.UUCP> mparker@chip.UUCP (M. D. Parker) writes: >... I want to prevent users from >examining the mailq using the /usr/ucb/mailq program I believe it can be done by setting protections and group-IDs carefully. First of all, I think it's safe to assume that you don't want any of your users executing /usr/lib/sendmail directly for any reason. Sendmail is normally invoked by the users' mail agent, e.g. /bin/mail, /usr/ucb/Mail, etc. I propose a way of restricting execution of /usr/lib/sendmail without losing any functionality for the users sending or receiving mail or for the administration of the mail facility. 1. Create a group in /etc/group called 'mail' that includes the system manager. mail::7:root 2. Change the group ID and protection on /usr/lib/sendmail (and its links, newaliases and mailq) so that only group 'mail' can execute it: -rwsr-x--- 2 root mail 112640 Mar 27 15:33 /usr/lib/sendmail 3. Change the group ID and set-GID bits on each mail user agent and any other program that might have need to call sendmail: -rwsr-sr-x 1 root mail 41984 Dec 30 1987 /bin/mail -rwxr-sr-x 1 root mail 14336 Jun 6 1986 /bin/rmail -rwxr-sr-x 1 root mail 185344 Jun 7 13:08 /usr/local/bin/elm -rwxr-sr-x 2 root mail 74752 Dec 31 1987 /usr/ucb/Mail 4. Finally, make sure /usr/spool/mqueue is not world-readable: drwxrwx--- 2 root mail 2048 Jul 29 14:50 /usr/spool/mqueue/ I believe this will do as Mr. Parker asks. Have I overlooked anything? -- Bob Hoffman, N3CVL {allegra, bellcore, cadre, idis, psuvax1}!pitt!hoffman Pitt Computer Science hoffman@vax.cs.pittsburgh.edu