Xref: utzoo comp.mail.sendmail:715 comp.unix.wizards:15794 Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!rutgers!psuvax1!flee From: flee@shire.cs.psu.edu (Felix Lee) Newsgroups: comp.mail.sendmail,comp.unix.wizards Subject: Another Sendmail security problem Message-ID: Date: 29 Apr 89 03:18:30 GMT References: <28952@ucbvax.BERKELEY.EDU> Sender: news@psuvax1.cs.psu.edu Organization: Penn State University Computer Science Lines: 27 Distribution: In article <28952@ucbvax.BERKELEY.EDU>, Jim Haynes describes a problem similar to something I've found recently. Our Sendmail under SunOS 4.0 will apparently run "|program" recipients with arbitrary uids. I've been unable to duplicate this with Sendmail 5.59 running on a Vax, but this may be a vagary of configuration. My .forward file currently includes "|cookie", where "cookie" is a script that just records the id that it's run by. So far I have about a dozen different cookies, mostly from local users who have sent me mail, several from daemon, and a few from local users who have not sent me mail. Watching the mail queue, mail to me gets expanded to my mailbox and "|cookie"; the message gets dropped in my mailbox, and "|cookie" gets queued. The control file for the "|cookie" delivery doesn't keep the recipient id; something arbitrary (like the sender, or the recipient of the previous message) is used when the queue gets run. I leave it to sendmail experts to delve the internal state that controls this. (The original "|cookie" was intended to be a harmless prank on someone whose .forward file was writable by other. It was something like grep -s "Cookie" || (fortune | mail -s "Cookie" `whoami`) but then, random people started getting cookies..) -- Felix Lee flee@shire.cs.psu.edu *!psuvax1!shire!flee