non-superuser chown(2)s considered harmful
Brandon S. Allbery KB8JRR
allbery at NCoast.ORG
Sun Dec 16 14:39:12 AEST 1990
As quoted from <1990Dec11.203632.7402 at chinet.chi.il.us> by les at chinet.chi.il.us (Leslie Mikesell):
+---------------
| In article <1990Dec11.005644.20688 at cbnewsk.att.com> hansen at pegasus.att.com (Tony L. Hansen) writes:
| >The mail(1) command uses chown(2) and set-gid to give a secure mail system. I
| >feel that other methods are fraught with potential security holes.
|
| MAIL=/usr/mail/you LOGNAME=you mail -F me
+---------------
LOGNAME was used to (a) get your mail even while you're su'd and (b) get
around the fact that more than one login name can map to a given uid. (Note
to SCO: luids do *not* fix this, so don't get any stupid ideas.) My guess is
that it should use LOGNAME only if its associated uid is the same as the real
uid (or luid, if available; arguably, one wants to read one's own mail from
under su in most cases).
I agree: setgid /bin/mail was a very good idea with only that one fatal flaw.
++Brandon
--
Me: Brandon S. Allbery VHF/UHF: KB8JRR on 220, 2m, 440
Internet: allbery at NCoast.ORG Packet: KB8JRR @ WA8BXN
America OnLine: KB8JRR AMPR: KB8JRR.AmPR.ORG [44.70.4.88]
uunet!usenet.ins.cwru.edu!ncoast!allbery Delphi: ALLBERY
More information about the Comp.unix.internals
mailing list