Xref: utzoo news.sysadmin:1913 news.admin:4260 Path: utzoo!utgpu!watmath!clyde!skep2!wcs From: wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) Newsgroups: news.sysadmin,news.admin Subject: Re: Bug in mail Keywords: bugs ARRGH NO NEVER SETUID!!! Message-ID: <355@skep2.ATT.COM> Date: 12 Dec 88 06:49:26 GMT References: <1215@altger.UUCP> <8515@alice.UUCP> Reply-To: wcs@skep2.UUCP (46323-Bill.Stewart.[ho95c],2G218,x0705,) Organization: AT&T Bell Labs Center 4632, Holmdel, NJ Lines: 50 In article <8515@alice.UUCP> debra@alice.UUCP () writes: < In article <1215@altger.UUCP> blue@altger.UUCP (blue) writes: < >I noticed that on many Sys V systems, /usr/spool/mail is left < >writable while contained mails are not readable~r . < What you describe is clearly buggy behaviour. Fortunately some mailers < do better: < 1) mail should be suid root, to be able to become the user who invokes < it before entering a sub-shell (or an editor). ARRRGH!!! NO!! NEVER!!! Mail never needs to be root! Major security hole!! It's been done before and abused and cracked before, and I don't believe it'll be safe if you do it again. It's too easy to lie to a mailer, and if the mailer can do anything as root you can become root. The standard System V behaviour is to have /bin/mail setgid mail, and /usr/mail and the mail file writable by group mail. All it needs to do is setgid(getuid) first when reading mail, and make sure to open for append-only when sending mail. The only time it might be fun to have setuid(root) is to get setuid(recipient) for smart mail-receivers, and I'd really rather not have anyone send me mail that does what they want with my userid, thank you! It's dangerous enough to have "Pipe to whatever" running as uucp or whoever your mail daemon runs as. Maybe make /bin/mail setuid=nobody setgid=mail where "nobody" is a uid with shell=/bin/sync and home directory /tmp. blue@altger.UUCP again: < >Well, this solves the problem of privacy, since on many systems < >while you run a sub shell from the mail (read) command you < >get mail privileges . Not on vanilla SVR2. I can't read root's mail, and I can't subshell out as group mail. (Note that if you have /usr/spool/mail, it's not standard System V; 4.1BSD did it, some vendors may do it, it looks more consistent and it's certainly how I'd do it if it were up to me, but System V uses /usr/mail, not /usr/spool/mail.) (Blue then goes on to describe the problem that the mail directory is 777, so anybody can trash other peoples' mail; this was either for a Xenix or an Altos? Try setting /usr/spool/mail or /usr/mail 775 uid=bin gid=mail /bin/mail 2755 (setgid, not setuid) uid=bin gid=mail and see if your system can still do mail. And rag on your UNIX vendor. Bill -- # Thanks; # Bill Stewart, AT&T Bell Labs 2G218 Holmdel NJ 201-949-0705 ho95c.att.com!wcs # # News. Don't ask me about News.