Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!wivax!decvax!harpo!seismo!rochester!ritcv!mjl From: mjl@ritcv.UUCP Newsgroups: net.unix-wizards Subject: /bin/mail protections Message-ID: <402@ritcv.UUCP> Date: Fri, 10-Jun-83 10:29:26 EDT Article-I.D.: ritcv.402 Posted: Fri Jun 10 10:29:26 1983 Date-Received: Tue, 14-Jun-83 09:06:14 EDT References: sri-arpa.1927 Lines: 18 The biggest problem with 4.1 /bin/mail is that it's both a front end and a backend to delivermail. In the former role, it should not act set-uid root as this will be inherited by delivermail, which then permits all sorts of bad things (like writing to arbitrary files). In the latter role, /bin/mail probably should be set-uid to support protection of mailboxes by the owners and controlled writing by the senders. Our local fix was to have /bin/mail do a setgid(getgid()) and setuid(getuid()) just before executing delivermail. Thus delivermail runs with the sender's permissions. When delivermail later calls /bin/mail to actually store the letter, the root permissions are reinstated and the mail can be delivered. If anyone out there sees a gaping hole that I'm missing, please let me know. Mike Lutz {allegra,seismo}!rochester!ritcv!mjl