empty mailbox deletion and /bin/mail forwarding bug (was: non-superuser chown(2)s considered harmful)

Leslie Mikesell les at chinet.chi.il.us
Sat Dec 22 03:55:01 AEST 1990


In article <1990Dec20.182455.17753 at eci386.uucp> woods at eci386.UUCP (Greg A. Woods) writes:

>OOPS!  You're right!  It does let me steal a user's (potential) mail!

>> IMHO it would be just as useful if it didn't chown the forwarding file
>> but left it owned by the uid that actually gave the command.

>That might be a partial hack to at least show the culprit, but the
>correct one is to check if you are the right person before blindly
>doing such a drastic thing as forwarding.  Seems to me that it's a
>simple bug that needs fixing, and it certainly doesn't have anything
>to do with non-root chown(2)'s being harmful!

But wait - there's more!
  At least one of the replacement mailers will:
  (A) allow forwarding to programs when "|command" is found in the
      forwarding file.
  (B) run the program under the uid of the recipient of the message.
  (C) perform a security check before doing (B), based on the ownership
      of the forwarding file.

These add up to a serious problem that wouldn't exist if the ownership
of a file meant that either the owner or root wanted it that way.

Les Mikesell
  les at chinet.chi.il.us



More information about the Comp.unix.internals mailing list