Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!wivax!decvax!harpo!seismo!rochester!ritcv!mjl
From: mjl@ritcv.UUCP
Newsgroups: net.unix-wizards
Subject: /bin/mail protections
Message-ID: <402@ritcv.UUCP>
Date: Fri, 10-Jun-83 10:29:26 EDT
Article-I.D.: ritcv.402
Posted: Fri Jun 10 10:29:26 1983
Date-Received: Tue, 14-Jun-83 09:06:14 EDT
References: sri-arpa.1927
Lines: 18

The biggest problem with 4.1 /bin/mail is that it's both a front end
and a backend to delivermail.  In the former role, it should not act
set-uid root as this will be inherited by delivermail, which then
permits all sorts of bad things (like writing to arbitrary files).  In
the latter role, /bin/mail probably should be set-uid to support
protection of mailboxes by the owners and controlled writing by the
senders.

Our local fix was to have /bin/mail do a setgid(getgid()) and
setuid(getuid()) just before executing delivermail.  Thus delivermail
runs with the sender's permissions.  When delivermail later calls
/bin/mail to actually store the letter, the root permissions are
reinstated and the mail can be delivered.

If anyone out there sees a gaping hole that I'm missing, please let me
know.

Mike Lutz {allegra,seismo}!rochester!ritcv!mjl