Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!rutgers!iuvax!pur-ee!uiucdcs!bradley!brad From: brad@bradley.UUCP Newsgroups: comp.sys.att Subject: Re: 3b1: files winding up in the w Message-ID: <9300036@bradley> Date: Mon, 30-Nov-87 21:45:00 EST Article-I.D.: bradley.9300036 Posted: Mon Nov 30 21:45:00 1987 Date-Received: Sat, 5-Dec-87 11:39:51 EST References: <51@icus.UUCP> Lines: 20 Nf-ID: #R:icus.UUCP:51:bradley:9300036:000:1034 Nf-From: bradley.UUCP!brad Nov 30 20:45:00 1987 /* Written 2:07 am Nov 24, 1987 by lenny@icus.UUCP in bradley:comp.sys.att */ >>This is a problem with the system manager (smgr) which controls the >>MAIL ICON at the top of the screen. If you save your mail after clicking >>on the icon, it indeed goes in /etc/lddrv/mbox, this is a *BUG* not >>a system problem. A while back I reported doing a "shell" escape "!" from >>inside mail from the icon, will give your root access. This is a pretty >>bad security flaw, since smgr runs as a root process. This can be >>fixed I believe by renaming "/bin/mail" with "/bin/lmail" and writing >>a short program that will do a: >> >> setuid(getuid()); >> setgid(getgid()); >> >>and then exec "/bin/lmail". This doesn't work as smgr runs as root. What I do is look at /etc/utmp (or is it /etc/wtmp) and find out who is logged into /dev/w1, then using the login name look up the uid in /etc/passwd and use this. Multiple gettys will read the mail of who every is logged into /dev/w1 (note that /dev/tty??? doesn't have this happen to it).