non-superuser chown(2)s considered harmful
Leslie Mikesell
les at chinet.chi.il.us
Sat Dec 15 04:21:37 AEST 1990
In article <1990Dec13.192712.25225 at cbnewsk.att.com> hansen at pegasus.att.com (Tony L. Hansen) writes:
>< Are you talking about the same SysV /bin/mail that I have (AT&T SysVr3)
>Yes, that bug was once there, but has been since squashed in SVr4 mail.
>Compare the small number of security problems in Sys V mail through the years
>(always using setgid+chown) with the numerous security problems in BSD mail
>through the years (using setuid-root, world-writable mail area, or various
>other schemes). I'll take the setgid+chown any day.
But those problems mostly relate to the additional functionality of those
other mailers. SysV mail doesn't (and can't without being setuid root)
offer to run pipes in my .forward file under my uid during delivery. It
also happily takes my word that I am who I say I am.
The "enhanced" /bin/mail that is supplied with AT&T's PMX-mailer products
introduces a crude way of specifying programs as aliases and thus incurrs
some new security problems. I suppose this is also "fixed in SysVr4"
by disallowing any shell metacharacters in mail addresses. I fixed
it by installing smail 3 and tossing the AT&T stuff, although it has
some problems as well. In particular, its security checking is severely
compromised by the /bin/mail behaviour I mentioned earlier and the fact
that a setuid program can't determine (at least under sysV) the effective
id of the invoker. But at least now if I find a problem I can fix it.
Les Mikesell
les at chinet.chi.il.us
More information about the Comp.unix.internals
mailing list