Why can't mail have unpost command

josh at hi.UUCP josh at hi.UUCP
Thu Feb 26 04:18:06 AEST 1987 

In article <1712 at druhi.UUCP> clive at druhi.UUCP (Clive Steward) writes:
>in article <1850 at cit-vax.Caltech.Edu>, trent at cit-vax.Caltech.Edu (Ray Trent) says:
>[...]
>> Tell me, how do you prevent someone from simply coming in and 'canceling'
>> someone else's mail, reading the return copy, and resending it? That is,
>> unless you want to rewrite mail to pass along a password or something. 
>[...]
>
>Well, I think you certainly have a point worth looking into, Ray.
>
>Let's consider.  On a given machine, there will be only one user with a
>given (usable->first in /etc/passwd) userid.  And no (non-root) way to
>fake one.
>
>Also, mail headers contain this information, in the path from which the 
>mail came.
>
>Further, we already have server access control, in the current way
>mail works.
>
>It seems to me then, that a simple addition to the server can
>easily and securely know which pieces of mail, if any, a given
>(local or remote) requester deserves to cancel.
>
>And that no one can beat this, unless they have root (or mail) 
>privileges, and furthermore, on the recipient's machine.
>
>It's late, so maybe I'm wrong.  What do you think?
>
>
>Clive

Well,
  again... Let's consider.  The unpost could be made secure over a
ethernet by using a set of rcmd (like rlogin) so that a root on one
machine cannot kill any mail sent from a user on a different machine.
On the other hand I still can kill any mail sent from the machine I
have root on to any other machine.  Or is the restriction true at all
about the fact that root on one machine cannot remove mail from another
machine?

How 'bout the following?  Person X as a PC.  Person Y has a sun.  X is
system manager on system Z.  X see's Y using root to break into other
machines and sends mail to the "authorities" on machine W and then goes
to lunch (after turning off the PC).  Y then waits for the arp table on
W to clear the entry for X's PC.  THEN, changes his name to the name
X's PC uses and clears the letter X sent to the "authorities".  He then
changes it back to his own name.  This gives him time to erase some of
the evidence against him.

I know this is a bad example because X would walk over to the
"authorities" after lunch to see what they thought but it gets the
point across.  X could also be a sun and Y on a PC since I have been
told (but have not seen it done) that it is not to hard to bring down a
machine over the ethernet without root.

Also, what if the letter goes over UUCP.  Now it is easy.  If I also
talk to the machine via UUCP then I can just change my name, log in to
my own account via UUCP and cancel his mail.

In all... I think the whole system could be made almost secure but I
would not like a clever hacker blowing away my mail.

How do I "unpost"?  I 'su' and vi(1) his mail file! :-)

			--Josh Siegel 
			josh at hi.unm@hc.dspo.gov

More information about the Comp.unix.questions mailing list