Bugtraq mailing list archives

Re: Solaris /usr/bin/mailx exploit (SPARC)

From: woods () weird com (Greg A. Woods)
Date: Tue, 15 May 2001 13:09:21 -0400 (EDT)

[ On Monday, May 14, 2001 at 10:24:10 (+0200), Casper Dik wrote: ]

Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) 

I'm not sure why all of the Solaris mail programs are actually set-gid 
mail.


then you should learn!  there are very good reasons for this!

But don't try to learn from solaris itself -- learn from its roots!
Solaris has a horribly twisted and broken local mail architecture now.

If you strip set-gid mail from /usr/bin/mail,, /usr/bin/mailx, 
/usr/SUNWale/bin/mailx, /usr/dt/bin/dtmail, /usr/dt/bin/dtmailpr,
/usr/openwin/bin/mailtool nothing should break.

(At least not if you /var/mail directory has the standard 1777 permissions)


That's NOT the way SysV mail was designed to work!

It was *designed* to work with setgid-mail!  It was *designed* to never
require root privileges in the mail delivery system and in a proper
implementation it doesn't!

Using 1777 permissions opens up a whole new can of worms and *requires*
(at least generically) that all mailboxes be created *before* the
corresponding account is created.

The problem is that mailx was never really corrected in Solaris (either
that or it was and then subsequent merges of new BSD code over-wrote the
fixes).  (mailx of course being based on the much older design of the
BSD mail system, which was of coursed base on the original and insecure
v7 mail system.)

By forcing a file permission of 600 on mailboxes, group mail should not
gain you anything.


If you can do that then that suggests the local delivery agent is also
broken and may be using root privileges!  It should *NOT* (at least not
for the SysV mailbox design).

The idea is that a compromise of the mail subsystem, i.e. group mail,
should only ever give access to just mailboxes (and not even any of the
programs themselves), and nothing more, unlike the older v7 mail system
where a compromise was equivalent of a total superuser compromise.  Too
bad modern systems went backwards in this respect and still often leave
mail systems running as root.

Even as far back as SysIII (i.e. 1980) there's clear evidence that the
entire AT&T UNIX mail system was leaning far away from using root
privileges and would work entirely with just setgid.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

Current thread:

Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Johann Klasek (May 15)
  - Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Andrew Hilborne (May 15)
  - MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC)) Rich Lafferty (May 16)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 15)
- Re: Solaris /usr/bin/mailx exploit (SPARC) Dan Astoorian (May 15)
- <Possible follow-ups>
- Re: Solaris /usr/bin/mailx exploit (SPARC) Tobias J. Kreidl (May 16)
  - Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 17)
    - Re: Solaris /usr/bin/mailx exploit (SPARC) Casper Dik (May 17)
    - Re: Solaris /usr/bin/mailx exploit (SPARC) Greg A. Woods (May 18)
    - Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Wietse Venema (May 18)
    - Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 18)
    - Re: Mail delivery privileges Peter W (May 19)
    - Re: Mail delivery privileges Henrik Nordstrom (May 19)
    - Re: Mail delivery privileges David Wagner (May 21)

(Thread continues...)