Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!jdb@s1-c From: jdb%s1-c@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: Mail security Message-ID: <2017@sri-arpa.UUCP> Date: Fri, 10-Jun-83 11:37:26 EDT Article-I.D.: sri-arpa.2017 Posted: Fri Jun 10 11:37:26 1983 Date-Received: Sun, 12-Jun-83 18:11:58 EDT Lines: 28 Unfortunately, "delivermail" is insecure because it can mail to files and send mail through pipes to processes that it spawns. Causing "/bin/mail" to setuid(getuid()) before invoking "delivermail" solves some of the problems, but it doesn't solve them all (for reasons I'd rather not circulate in a public forum). It also causes some new problems of its own. Consider the case of the "msgs" program. In a hostile environment it may be undesirable to leave "/usr/msgs" world-writable (as it would also be undesirable to leave individual mailboxes world-writable, since mischievous users could corrupt or truncate them). Non-root users would then use "mail msgs" which is later aliased to "|/usr/ucb/msgs -s". In order for this to work, however, either "delivermail" (which writes to non-mailbox files and pipes) or "msgs" would have to run suid-root. Alternate examples include mailing to system log files (e.g. a "bugs" file); if the file isn't world-writable then "delivermail" must run suid-root (or at least sgid-something) to write it. It seems that a better approach would be to forbid mailing to files and (pipes to) programs unless these files and programs are specified in "/usr/lib/aliases". Thus, mailing to system-established files and programs would work, but users wouldn't be able to mail to any random target. John Bruner S-1 Project/Lawrence Livermore Lab jdb@s1-c