Bugtraq mailing list archives

Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)

From: woods () weird com (Greg A. Woods)
Date: Fri, 18 May 2001 22:16:56 -0400 (EDT)

[ On Friday, May 18, 2001 at 21:04:33 (-0400), Steven M. Bellovin wrote: ]

Subject: Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) 

That's more an artifact of Plan 9 than of upas -- upas on Unix did 
support 'Pipe to'.  But Plan 9 has no notion of setuid nor (as I 
recall) of superuser, so it can't do that.


Of course....  (you remember correctly, there's no super-user in Plan 9
-- the user who boots a workstation, and thus logs in first, is
essentially it's privileged user and owns most devices and can control
all processes)

BTW, I have found reference now to what I was thinking of in SysVr4.
It's mail_pipe(1M), and indeed:

       mail_pipe  is  installed  as  a  privileged  process  thus
       enabling  itself to change it's user and group ids to that
       of the recipient as necessary.

This is from 4.2, and I may have been thinking of 4.0, though even there
it may have been setuid-root too and I can no longer check.

 And while there are 
certainly security issues with delivery to programs (that's why 
sendmail had to implement smrsh), not having write ability to per-user 
files causes problems for programs like 'vacation'.


I have in the past implemented a "central" vacation facility that used a
single shared database to keep track of which addresses it had sent
replies to on a per-user basis.  Such applications do require a central
system facility and this obviously doesn't solve the more general
problem.

There is another obvious trick too -- the user can install his own
setuid program such that when the LDA invokes it the user's privileges
are taken on.  Obviously there are many problems with this trick, but it
does avoid the need to make the LDA run as root.  ;-)

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

Current thread:

Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Steven M. Bellovin (May 18)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Greg A. Woods (May 19)
- Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit) Lyle Seaman (May 19)