Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!jdb@s1-c
From: jdb%s1-c@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Mail security
Message-ID: <2017@sri-arpa.UUCP>
Date: Fri, 10-Jun-83 11:37:26 EDT
Article-I.D.: sri-arpa.2017
Posted: Fri Jun 10 11:37:26 1983
Date-Received: Sun, 12-Jun-83 18:11:58 EDT
Lines: 28

Unfortunately, "delivermail" is insecure because it can mail to files
and send mail through pipes to processes that it spawns.  Causing
"/bin/mail" to setuid(getuid()) before invoking "delivermail" solves
some of the problems, but it doesn't solve them all (for reasons I'd
rather not circulate in a public forum).  It also causes some new
problems of its own.

Consider the case of the "msgs" program.  In a hostile environment
it may be undesirable to leave "/usr/msgs" world-writable (as it would
also be undesirable to leave individual mailboxes world-writable,
since mischievous users could corrupt or truncate them).  Non-root
users would then use "mail msgs" which is later aliased to
"|/usr/ucb/msgs -s".  In order for this to work, however, either
"delivermail" (which writes to non-mailbox files and pipes) or "msgs"
would have to run suid-root.  Alternate examples include mailing to
system log files (e.g. a "bugs" file); if the file isn't world-writable
then "delivermail" must run suid-root (or at least sgid-something) to
write it.

It seems that a better approach would be to forbid mailing to files and
(pipes to) programs unless these files and programs are specified in
"/usr/lib/aliases".  Thus, mailing to system-established files and
programs would work, but users wouldn't be able to mail to any random
target.

	John Bruner
	S-1 Project/Lawrence Livermore Lab
	jdb@s1-c