Bugtraq mailing list archives
Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)
From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 18 May 2001 21:04:33 -0400
In message <20010518203508.DCF0EC3 () proven weird com>, Greg A. Woods writes:
Personally I'm loathe to allow ordinary users to specify delivery to programs in the first place, and forcing them at minimum to arrange for their mail filters to run unprivileged seems like a very small price to pay. I seem to recall this was the solution taken by the AT&T UPAS mailer delivered as the default mailer on native UNIX System V Release 4. That's certainly the way it works on Plan 9: Filtering If the file /mail/box/username/pipeto exists and is read- able and executable by everyone, it will be run for each incoming message for the user. The message will be piped to it rather than appended to his/her mail box. The file is run as user `none'.
That's more an artifact of Plan 9 than of upas -- upas on Unix did support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I recall) of superuser, so it can't do that. And while there are certainly security issues with delivery to programs (that's why sendmail had to implement smrsh), not having write ability to per-user files causes problems for programs like 'vacation'. --Steve Bellovin, http://www.research.att.com/~smb
Current thread:
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Steven M. Bellovin (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 19)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Lyle Seaman (May 19)