Xref: utzoo news.sysadmin:1940 news.admin:4288
Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!haven!aplcen!osiris!news
From: news@osiris.UUCP (Phil Kos)
Newsgroups: news.sysadmin,news.admin
Subject: Re: Bug in mail
Keywords: bugs  ARRGH NO NEVER SETUID!!!
Message-ID: <2641@osiris.UUCP>
Date: 13 Dec 88 19:37:47 GMT
References: <1215@altger.UUCP> <8515@alice.UUCP> <355@skep2.ATT.COM>
Reply-To: news@osiris.UUCP (Phil Kos)
Organization: The Johns Hopkins Hospital, Information Systems
Lines: 14

In article <355@skep2.ATT.COM> wcs@skep2.UUCP (46323-Bill.Stewart.[ho95c],2G218,x0705,) writes:
>In article <8515@alice.UUCP> debra@alice.UUCP () writes:
>< 1) mail should be suid root, to be able to become the user who invokes
><    it before entering a sub-shell (or an editor).
>
>ARRRGH!!! NO!! NEVER!!! Mail never needs to be root!  Major security hole!!

Quite true, it is not necessary to be root to do this.  If mail's real uid
is still the user, the child process can set its effective uid equal to its
real uid (but not vice versa, according to our local setreuid(2) manpage -
only root can set real uid = effective uid).  Follow least privilege and
DON'T make mail setuid root.

Phil Kos                                           uunet!pyrdc!osiris!phil
The Johns Hopkins Hospital, Information Systems