Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!cca!decvax!harpo!seismo!hao!hplabs!sri-unix!mann%Shasta@su-score
From: mann%Shasta%su-score@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: /bin/mail
Message-ID: <1928@sri-arpa.UUCP>
Date: Wed, 8-Jun-83 14:40:00 EDT
Article-I.D.: sri-arpa.1928
Posted: Wed Jun  8 14:40:00 1983
Date-Received: Fri, 10-Jun-83 16:03:20 EDT
Lines: 13

From:  Tim Mann 

Making Berkeley 4.1 /bin/mail setuid to root creates a gaping
security hole, because /bin/mail allows you to mail to files.
This is true in spite of the fact that Berkeley's MAKE script
makes it setuid to root.

The only safe (?) way I know of to set things up is to create
a special "mail" group, make /bin/mail setgid to this group,
and arrange for the mail spool directory and mail files to be
group-writeable.

	--Tim