Mail security
jdb%s1-c at sri-unix.UUCP
jdb%s1-c at sri-unix.UUCP
Sat Jun 11 01:37:26 AEST 1983
Unfortunately, "delivermail" is insecure because it can mail to files
and send mail through pipes to processes that it spawns. Causing
"/bin/mail" to setuid(getuid()) before invoking "delivermail" solves
some of the problems, but it doesn't solve them all (for reasons I'd
rather not circulate in a public forum). It also causes some new
problems of its own.
Consider the case of the "msgs" program. In a hostile environment
it may be undesirable to leave "/usr/msgs" world-writable (as it would
also be undesirable to leave individual mailboxes world-writable,
since mischievous users could corrupt or truncate them). Non-root
users would then use "mail msgs" which is later aliased to
"|/usr/ucb/msgs -s". In order for this to work, however, either
"delivermail" (which writes to non-mailbox files and pipes) or "msgs"
would have to run suid-root. Alternate examples include mailing to
system log files (e.g. a "bugs" file); if the file isn't world-writable
then "delivermail" must run suid-root (or at least sgid-something) to
write it.
It seems that a better approach would be to forbid mailing to files and
(pipes to) programs unless these files and programs are specified in
"/usr/lib/aliases". Thus, mailing to system-established files and
programs would work, but users wouldn't be able to mail to any random
target.
John Bruner
S-1 Project/Lawrence Livermore Lab
jdb at s1-c
More information about the Comp.unix.wizards
mailing list