Nasty Security Hole?
Greg Woods
woods at gpu.utcs.toronto.edu
Wed Nov 23 14:43:19 AEST 1988
In article <13155 at ncoast.UUCP> allbery at ncoast.UUCP (Brandon S. Allbery) writes:
> As quoted from <1988Nov13.192003.22144 at gpu.utcs.toronto.edu> by woods at gpu.utcs.toronto.edu (Greg Woods):
> | I doubt you need set-group-id on mailx, since it only manipulates the
> | user's own mailbox. Making it set-gid will allow anyone to read or
> | write all system mailboxes. I've also found that no implementation of
> | mailx or BSD Mail (that I've used) bothers to reset real uid and gid
> | when spawning a sub-process, at least not when sending mail.
>
> Don't try this at home, kids.
>
> If you're unlucky enough to have a mailer which uses links to lock mailboxes,
> mailx MUST be set[ug]id (which depends on whether you run your primary
> mailer [/bin/mail] setuid or setgid). As far as I know, all System V's
> still use links because someone was afraid that record locks can't emulate
> file locks. (hmph; just lock the byte AFTER eof!)
I have no doubt that Brandon is right. I hope that anyone who has found
this security hole in mailx hasn't also lost mail by disabling the
ability of mailx to lock their mailbox.
I have been somewhat confused over time, since I've known that BSD Mail
doesn't require set-id, nor does mush. Mush uses lockf() [or
locking()], and I assume Mail does the same.
Of interest, the mailx I have running on our Unix-PC at work (mailx2.14)
doesn't complain about not being able to lock the mailbox, though it
does exhibit lots of strange behavior. I attributed the faults to bugs,
but maybe that's its way of complaining. Some of our users have lost
mailboxes. :-(
This leaves open the question as to why mailx has a special set-[ug]id
programme (rmmail) to remove empty mailboxes. If mailx must itself be
set-id, then rmmail is useless.
If your mailx must write to the system spool directory, and it exhibits
the security violation, you'd better complain to your vendor, and fast,
before everyone reads your mail. 1/4 :-)
--
Greg Woods.
{utgpu,lsuc!gate,ontmoh}!woods, woods@{gpu.utcs.Toronto.EDU,utorgpu.BITNET}
1-416-443-1734 [h], 1-416-595-5425 [w] LOCATION: Toronto, Ontario, Canada
More information about the Comp.unix.wizards
mailing list