Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!decvax!ittvax!swatt From: swatt@ittvax.UUCP Newsgroups: net.mail,net.unix-wizards Subject: Re: Mail Security and Locking Problems Message-ID: <771@ittvax.UUCP> Date: Mon, 6-Jun-83 18:07:06 EDT Article-I.D.: ittvax.771 Posted: Mon Jun 6 18:07:06 1983 Date-Received: Tue, 7-Jun-83 23:02:25 EDT Lines: 55 Sam Praul is mistaken (sorry, Sam) about which program in the mail system should be SUID to root: + DO NOT make /etc/delivermail SUID to root. There is code in delivermail to do "setuid(getuid())" at various places, but I have never seen a claim that it is really secure. The successor "sendmail" is supposed to be secure. + DO make /bin/mail SUID to root. This is usually a slightly smarter version of the standard v7 mail. + DO NOT make "rmail" a simple link to "/bin/mail" for UUCP; use the special "rmail" program that comes with delivermail. This one disallows "!" shell escapes. Delivermail uses a separate mailer program for each type of delivery: local, UUCP network, Arpa network, and so on. It "cheats" and uses "/bin/mail" for both local delivery and UUCP delivery. Thus local mail is passed from "ucbmail" (If you run it) to "delivermail" and finally to "/bin/mail" for actual delivery. Only the last stage needs to be able to manipulate files in the mail spool area. There is a bug in the standard 4.1bsd distribution (I don't know what tape range) such that a number of programs which should have been SUID were not. There was an update notice which explained this. The real fix is: su root cd /usr/src/cmd setenv DESTDIR / ; MAKE MODES (csh ["root" runs csh by default]) or: DESTDIR=/ MAKE MODES (bourne shell) This will set the owner and modes correctly for a number of programs. Setting the "DESTDIR" variable is important, or MAKE will try to diddle things in "/4bsd/...". MAKE is a shell script if you're curious. In general, if you have questions about what belongs where and in what mode and owned by whom, this is a good place to start. If you have this problem, you should look at the 4.1bsd bug news reports which come with the standard distribution; you might have missed others. Some of these fixes are quite important and should be made. One of the "UNIX Newsletter" rags (I forget which one), first came out with the mis-information about delivermail. In general, the new publications I've seen promote professional writing and production at the expense of technical accuracy. If you're getting technical advice from various industry rags, make sure the article is signed by someone claiming expertise; professional writers who summarize what they've been told are prone to errors that could prove dangerous. The above obviouly applies to advice you get from the net ... - Alan S. Watt