/usr/spool/mail
utzoo!decvax!ucbvax!unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Sat Sep 5 06:25:57 AEST 1981
>From MathStat.jmrubin at Berkeley Sat Sep 5 06:15:14 1981
From csvax:unix-wizards Sat Sep 5 05:33:33 1981
Subject: Re: /usr/spool/mail
Newsgroups: fa.unix-wizards
>From James.Gosling at CMU-10A Sat Sep 5 05:23:07 1981
If /usr/spool/mail is writable it's really easy to become super-user.
1. copy the shell to the file /usr/spool/mail/root
2. make it suid
3. send mail to root
When the mail is sent to root the delivery program only appends the mail to
the mailbox and chowns the file to root. *poof* you have a suid root shell.
The easiest way to stop this is to not have /usr/spool/mail be writable.
James.
I don't think this would work because writing on a setuid file
usually shuts off the setuid bits (and setgid bits); of course, this is
installation dependent. Of course, chown is a priviledged call, but
I suspect chown also turns off the setuid bits. (If it doesn't, then
it should!)
Joel Rubin
More information about the Comp.unix.wizards
mailing list