Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!mann%Shasta@su-score From: mann%Shasta%su-score@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: /bin/mail Message-ID: <1927@sri-arpa.UUCP> Date: Wed, 8-Jun-83 14:40:00 EDT Article-I.D.: sri-arpa.1927 Posted: Wed Jun 8 14:40:00 1983 Date-Received: Thu, 9-Jun-83 19:26:33 EDT Lines: 13 From: Tim MannMaking Berkeley 4.1 /bin/mail setuid to root creates a gaping security hole, because /bin/mail allows you to mail to files. This is true in spite of the fact that Berkeley's MAKE script makes it setuid to root. The only safe (?) way I know of to set things up is to create a special "mail" group, make /bin/mail setgid to this group, and arrange for the mail spool directory and mail files to be group-writeable. --Tim