Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mail delivery privileges

From: daw () mozart cs berkeley edu (David Wagner)
Date: 20 May 2001 00:37:11 GMT
Peter W  wrote:

To protect users from each others' ~/.forward instructions, it is necessary,
as Wietse said, for the delivery agent to start with superuser privileges.


I'm not convinced.  Imagine: ~/.forward-program could be a
setuid executable, owned by the user, and a non-root delivery
agent could exec() the relevant ~/.forward-program.  Why can't
this approach be made to work?  What am I missing?

(You might be concerned that malicious users on the same
system could inject forged mail by themselves exec()ing the
~/.forward-program.  But this threat can be countered in several
ways.  For instance, we could use file permissions: make
~/.forward-program mode 750, with group 'mail', and have the
delivery program run under user 'nobody', group 'mail'.  Or,
we could use crypto: Create a public/private keypair for the
delivery agent, put the public key in /etc/agent.pub, have the
delivery agent sign the input it sends to ~/.forward-program,
and have ~/.forward-program check the signature on its input
against /etc/agent.pub.)
Previous By Date Next
Previous By Thread Next

Current thread: