Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)

["Steven M. Bellovin" <smb () research att com>]

In message <20010518203508.DCF0EC3 () proven weird com>, Greg A. Woods writes:

> Personally I'm loathe to allow ordinary users to specify delivery to
> programs in the first place, and forcing them at minimum to arrange for
> their mail filters to run unprivileged seems like a very small price to
> pay.  I seem to recall this was the solution taken by the AT&T UPAS
> mailer delivered as the default mailer on native UNIX System V Release 4.
> That's certainly the way it works on Plan 9:
>
>   Filtering
>       If  the file /mail/box/username/pipeto exists and is read-
>       able and executable by everyone, it will be run  for  each
>       incoming  message for the user.  The message will be piped
>       to it rather than appended to his/her mail box.  The  file
>       is run as user `none'.

That's more an artifact of Plan 9 than of upas -- upas on Unix did 
support 'Pipe to'.  But Plan 9 has no notion of setuid nor (as I 
recall) of superuser, so it can't do that.  And while there are 
certainly security issues with delivery to programs (that's why 
sendmail had to implement smrsh), not having write ability to per-user 
files causes problems for programs like 'vacation'.

                --Steve Bellovin, http://www.research.att.com/~smb