Making /usr/spool/mail 755

Sat Mar 10 00:51:46 AEST 1984

>> Oh, good grief.  Don't make /usr/spool/mail publicly writable:
>>
>>	$ mv /usr/spool/mail/me /usr/spool/mail/me.keep
>>	$ mv /usr/spool/mail/you /usr/spool/mail/me
>>	$ mail ...

> Better than that, you can use 'mail -u user'.  An undocumented (I think) 
> Berkeley mail option.  This lets you pretend that you are that user, and
> play with the mail however you want.  The only real problem is that it
> writes undeleted read mail into your mbox rather than his.  I have often
> thought that it is a pretty silly option to have...

    On 4.xBSD systems, reading other people's mail is the least of your
worries with a writable /usr/spool/mail.  With the proper abuse, any user
can obtain a root shell. [ No, I'm not going to give the method for obvious
reasons, but it's not hard to figure out ].
    [ By the way, "mail -u user" DOES have a use.  /usr/ucb/mail apparently
gets the user name from a getlogin() call.  Thus, if you log in as A and su
to B, a simple "mail" will attempt to read A's mailbox, which, of course,
is read-protected from B.  You have to do a "mail -u B". ]
    Simply changing the protection of /usr/spool/mail breaks the mail
locking system, as several people have previously pointed out.  However,
unlike those who have moved the lock files to /tmp (or wherever), we have
come up with a simple fix to /bin/mail that allows /usr/spool/mail to be
755 and still have the mail locking work.  The diffs follow (the line
numbers may be off by a couple because of various SCCS and RSC id strings).

***************
*** 124,130
  	char *p, *getarg();
  	struct stat statb;
  
- 	setuid(getuid());
  	cat(mailfile, maildir, my_name);
  	if (stat(mailfile, &statb) >= 0
  	    && (statb.st_mode & S_IFMT) == S_IFDIR) {

--- 126,131 -----
  	char *p, *getarg();
  	struct stat statb;
  
  	cat(mailfile, maildir, my_name);
  	if (stat(mailfile, &statb) >= 0
  	    && (statb.st_mode & S_IFMT) == S_IFDIR) {
***************
*** 155,160
  		} else
  			break;
  	}
  	malf = fopen(mailfile, "r");
  	if (malf == NULL) {
  		fprintf(stdout, "No mail.\n");

--- 156,165 -----
  		} else
  			break;
  	}
+ 	if (access(mailfile,4) < 0) {
+ 		fprintf(stdout, "No mail.\n");
+ 		return;
+ 	}
  	malf = fopen(mailfile, "r");
  	if (malf == NULL) {
  		fprintf(stdout, "No mail.\n");
***************
*** 165,170
  	fclose(malf);
  	fclose(tmpf);
  	unlock();
  	tmpf = fopen(lettmp, "r");
  
  	changed = 0;

--- 170,176 -----
  	fclose(malf);
  	fclose(tmpf);
  	unlock();
+ 	setuid(getuid());
  	tmpf = fopen(lettmp, "r");
  
  	changed = 0;
---------------------------------------------------------------------------

    While I'm at it, I'll also post the diffs to change the temp file to be
owned by the user, rather than root.  This way, people with restrictive
umask's can also read mail.

***************
*** 84,89
  	for (i=SIGHUP; i<=SIGTERM; i++)
  		setsig(i, delete);
  	tmpf = fopen(lettmp, "w");
  	if (tmpf == NULL) {
  		fprintf(stderr, "mail: cannot open %s for writing\n", lettmp);
  		done();

--- 85,91 -----
  	for (i=SIGHUP; i<=SIGTERM; i++)
  		setsig(i, delete);
  	tmpf = fopen(lettmp, "w");
+ 	chown(lettmp, getuid(), getgid());
  	if (tmpf == NULL) {
  		fprintf(stderr, "mail: cannot open %s for writing\n", lettmp);
  		done();

-----------------------------------------------------------------------------
    These fixes have been installed on several systems here at U. of T.
for quite some time with no problems.  Hope this helps.

-- 
Ron Wessels	Computer Systems Research Group		University of Toronto
{ decvax , floyd , ihnp4 , linus , utzoo , uw-beaver }!utcsrgv!uthub!wessels