empty mailbox deletion and /bin/mail forwarding bug (was: non-superuser chown(2)s considered harmful)
Leslie Mikesell
les at chinet.chi.il.us
Sat Dec 22 03:55:01 AEST 1990
In article <1990Dec20.182455.17753 at eci386.uucp> woods at eci386.UUCP (Greg A. Woods) writes:
>OOPS! You're right! It does let me steal a user's (potential) mail!
>> IMHO it would be just as useful if it didn't chown the forwarding file
>> but left it owned by the uid that actually gave the command.
>That might be a partial hack to at least show the culprit, but the
>correct one is to check if you are the right person before blindly
>doing such a drastic thing as forwarding. Seems to me that it's a
>simple bug that needs fixing, and it certainly doesn't have anything
>to do with non-root chown(2)'s being harmful!
But wait - there's more!
At least one of the replacement mailers will:
(A) allow forwarding to programs when "|command" is found in the
forwarding file.
(B) run the program under the uid of the recipient of the message.
(C) perform a security check before doing (B), based on the ownership
of the forwarding file.
These add up to a serious problem that wouldn't exist if the ownership
of a file meant that either the owner or root wanted it that way.
Les Mikesell
les at chinet.chi.il.us
More information about the Comp.bugs.sys5
mailing list