non-superuser chown(2)s considered harmful
Neil Rickert
rickert at mp.cs.niu.edu
Sun Dec 16 14:32:58 AEST 1990
In article <2807 at cirrusl.UUCP> dhesi%cirrusl at oliveb.ATC.olivetti.com (Rahul Dhesi) writes:
>In <1990Dec14.150710.4273 at mp.cs.niu.edu> rickert at mp.cs.niu.edu (Neil
>Rickert) writes:
>
>> cd /usr/spool/mail
>> touch dhesi
>> chmod 777 dhesi
>
>> Now I own your mail box.
>
>I believe this problem was fixed going from 4.2BSD to 4.3BSD; if
>I remember correctly, the mail delivery program forces the mailbox
>to be owned by the user and not readable or writable by anybody else.
I believe you will find that it does not change the permissions. Note the
chmod I listed there, so that even if owner and group are changed by /bin/mail
the mailbox is still public. Of course you can make it private again. But
how many people go around regularly checking the permissions on their
mailbox?
The /bin/mail on a Sun 4.1 does not seem to change mailbox ownership. I
have a guest account on such a system in which the admin changed my uid,
and the result was I could not access my mailbox till I got him to fix
the ownership.
>If it doesn't, or if I'm remembering incorrectly, the security problem
>is in the mail delivery program, *not* with the fact that the mail
>directory itself is world-writable. We are assuming, of course, that
>the sticky bit is set on the mail directory.
>
>I will grant you that a denial-of-service situation is still possible
>by simply going to the mail directory and creating a file $USER.lock,
Don't you consider this a problem?
--
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
Neil W. Rickert, Computer Science <rickert at cs.niu.edu>
Northern Illinois Univ.
DeKalb, IL 60115 +1-815-753-6940
More information about the Comp.unix.internals
mailing list