Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!genrad!decvax!harpo!seismo!hao!hplabs!sri-unix!dbj.rice@rand-relay
From: dbj.rice%rand-relay@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Re: /bin/mail
Message-ID: <1976@sri-arpa.UUCP>
Date: Wed, 15-Jun-83 01:28:57 EDT
Article-I.D.: sri-arpa.1976
Posted: Wed Jun 15 01:28:57 1983
Date-Received: Sat, 11-Jun-83 21:17:56 EDT
Lines: 12

From:  Dave Johnson 

We noticed the "gaping security hole" in /bin/mail here at Rice and found a
simple to fix the problem (actually, Bill LeFebvre here found the solution).
Make /bin/mail do a setuid(getuid()) after forking a subprocess but before
execing /etc/delivermail.  Delivermail is actually the one that mails to
files and it doesn't expect to be a setuid program.  It thus doesn't check
for access() to write on the file, but merely does it and lets it fail if it
will.  /bin/mail IS supposed to be setuid to root, but delivermail IS NOT.
The setuid(getuid()) in /bin/mail sets the effective uid back to the real
uid, undoing the effect of /bin/mail being a setuid program before running
delivermail.