Another Sendmail security problem
Felix Lee
flee at shire.cs.psu.edu
Sat Apr 29 13:18:30 AEST 1989
In article <28952 at ucbvax.BERKELEY.EDU>,
Jim Haynes <haynes at ucscc.ucsc.EDU> describes
a problem similar to something I've found recently.
Our Sendmail under SunOS 4.0 will apparently run "|program" recipients
with arbitrary uids. I've been unable to duplicate this with Sendmail
5.59 running on a Vax, but this may be a vagary of configuration.
My .forward file currently includes "|cookie", where "cookie" is a
script that just records the id that it's run by. So far I have about
a dozen different cookies, mostly from local users who have sent me
mail, several from daemon, and a few from local users who have not
sent me mail.
Watching the mail queue, mail to me gets expanded to my mailbox and
"|cookie"; the message gets dropped in my mailbox, and "|cookie" gets
queued. The control file for the "|cookie" delivery doesn't keep the
recipient id; something arbitrary (like the sender, or the recipient
of the previous message) is used when the queue gets run. I leave it
to sendmail experts to delve the internal state that controls this.
(The original "|cookie" was intended to be a harmless prank on someone
whose .forward file was writable by other. It was something like
grep -s "Cookie" || (fortune | mail -s "Cookie" `whoami`)
but then, random people started getting cookies..)
--
Felix Lee flee at shire.cs.psu.edu *!psuvax1!shire!flee
More information about the Comp.unix.wizards
mailing list