Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!dbj.rice@rand-relay From: dbj.rice%rand-relay@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Re: /bin/mail Message-ID: <1976@sri-arpa.UUCP> Date: Wed, 15-Jun-83 01:28:57 EDT Article-I.D.: sri-arpa.1976 Posted: Wed Jun 15 01:28:57 1983 Date-Received: Sat, 11-Jun-83 21:17:56 EDT Lines: 12 From: Dave JohnsonWe noticed the "gaping security hole" in /bin/mail here at Rice and found a simple to fix the problem (actually, Bill LeFebvre here found the solution). Make /bin/mail do a setuid(getuid()) after forking a subprocess but before execing /etc/delivermail. Delivermail is actually the one that mails to files and it doesn't expect to be a setuid program. It thus doesn't check for access() to write on the file, but merely does it and lets it fail if it will. /bin/mail IS supposed to be setuid to root, but delivermail IS NOT. The setuid(getuid()) in /bin/mail sets the effective uid back to the real uid, undoing the effect of /bin/mail being a setuid program before running delivermail.