Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 beta 3/9/83; site uthub.UUCP Path: utzoo!utcsrgv!utai!uthub!wessels From: wessels@uthub.UUCP (Ron Wessels) Newsgroups: net.unix-wizards Subject: Making /usr/spool/mail 755 Message-ID: <135@uthub.UUCP> Date: Fri, 9-Mar-84 09:51:46 EST Article-I.D.: uthub.135 Posted: Fri Mar 9 09:51:46 1984 Date-Received: Fri, 9-Mar-84 13:19:28 EST References: <17220@sri-arpa.UUCP> Organization: CSRG, University of Toronto Lines: 112 >> Oh, good grief. Don't make /usr/spool/mail publicly writable: >> >> $ mv /usr/spool/mail/me /usr/spool/mail/me.keep >> $ mv /usr/spool/mail/you /usr/spool/mail/me >> $ mail ... > Better than that, you can use 'mail -u user'. An undocumented (I think) > Berkeley mail option. This lets you pretend that you are that user, and > play with the mail however you want. The only real problem is that it > writes undeleted read mail into your mbox rather than his. I have often > thought that it is a pretty silly option to have... On 4.xBSD systems, reading other people's mail is the least of your worries with a writable /usr/spool/mail. With the proper abuse, any user can obtain a root shell. [ No, I'm not going to give the method for obvious reasons, but it's not hard to figure out ]. [ By the way, "mail -u user" DOES have a use. /usr/ucb/mail apparently gets the user name from a getlogin() call. Thus, if you log in as A and su to B, a simple "mail" will attempt to read A's mailbox, which, of course, is read-protected from B. You have to do a "mail -u B". ] Simply changing the protection of /usr/spool/mail breaks the mail locking system, as several people have previously pointed out. However, unlike those who have moved the lock files to /tmp (or wherever), we have come up with a simple fix to /bin/mail that allows /usr/spool/mail to be 755 and still have the mail locking work. The diffs follow (the line numbers may be off by a couple because of various SCCS and RSC id strings). *************** *** 124,130 char *p, *getarg(); struct stat statb; - setuid(getuid()); cat(mailfile, maildir, my_name); if (stat(mailfile, &statb) >= 0 && (statb.st_mode & S_IFMT) == S_IFDIR) { --- 126,131 ----- char *p, *getarg(); struct stat statb; cat(mailfile, maildir, my_name); if (stat(mailfile, &statb) >= 0 && (statb.st_mode & S_IFMT) == S_IFDIR) { *************** *** 155,160 } else break; } malf = fopen(mailfile, "r"); if (malf == NULL) { fprintf(stdout, "No mail.\n"); --- 156,165 ----- } else break; } + if (access(mailfile,4) < 0) { + fprintf(stdout, "No mail.\n"); + return; + } malf = fopen(mailfile, "r"); if (malf == NULL) { fprintf(stdout, "No mail.\n"); *************** *** 165,170 fclose(malf); fclose(tmpf); unlock(); tmpf = fopen(lettmp, "r"); changed = 0; --- 170,176 ----- fclose(malf); fclose(tmpf); unlock(); + setuid(getuid()); tmpf = fopen(lettmp, "r"); changed = 0; --------------------------------------------------------------------------- While I'm at it, I'll also post the diffs to change the temp file to be owned by the user, rather than root. This way, people with restrictive umask's can also read mail. *************** *** 84,89 for (i=SIGHUP; i<=SIGTERM; i++) setsig(i, delete); tmpf = fopen(lettmp, "w"); if (tmpf == NULL) { fprintf(stderr, "mail: cannot open %s for writing\n", lettmp); done(); --- 85,91 ----- for (i=SIGHUP; i<=SIGTERM; i++) setsig(i, delete); tmpf = fopen(lettmp, "w"); + chown(lettmp, getuid(), getgid()); if (tmpf == NULL) { fprintf(stderr, "mail: cannot open %s for writing\n", lettmp); done(); ----------------------------------------------------------------------------- These fixes have been installed on several systems here at U. of T. for quite some time with no problems. Hope this helps. -- Ron Wessels Computer Systems Research Group University of Toronto { decvax , floyd , ihnp4 , linus , utzoo , uw-beaver }!utcsrgv!uthub!wessels