[434] in linux-security and linux-alert archive
Re: /var/spool/mail permissions
daemon@ATHENA.MIT.EDU (Erlend Midttun)
Fri Oct 27 18:02:00 1995
From: Erlend Midttun <Erlend.Midttun@colargol.idb.hist.no>
To: cs6171@scitsc.wlv.ac.uk
Date: Fri, 27 Oct 1995 11:02:01 +0100 (MET)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0t7tY9-000A6LC@scitsc.wlv.ac.uk> from "R.Arnold / Arny" at Oct 25, 95 00:18:32 am
-----BEGIN PGP SIGNED MESSAGE-----
[ /var/spool/mail permissions drwxrwxrwx bad idea ]
> My system (Slackware 2.0) runs Smail3.1.28.1 since I have not altered the
> mail setup since I have installed it. Now if I change /var/spool/mail to
> drwxrwxrwt a user can delete his mail file and replace it with a symbolic
> link to any file, mail is then written to this file as root (amusingly the
> ownership of the actual symbollic link is then changed).
You run a miscompiled version of Smail. It was compiled without HAVE_SETEUID
and does not change it's uid to the actual recipent before delivering mail.
On a system running a patched Smail 3.1.28 or a newer version (which does
support Linux) this does not apply.
> a) how many linux systems does this effect?
At least all systems that use the version of Smail that came with Slackware
prior to 2.2.
> b) has this problem to some extent been fixed in the
> latest distributions of linux?
Slackware is now using sendmail as it's default. If a person should choose
to install the verion of Smail that came with Slackware prior to 3.0, it
is still the same binary. Slackware 3.0 includes Smail 3.1.29.1 which is
secure.
> c) is this problem old news, has it been discussed
> before, how many people know about it?
It came up as one out of three ugly bugs about a year ago. There were
released patches that fixed them all, and the newer versions of Smail
does not have these bugs.
> d) should I post the above 'exploit' details to
> comp.security.unix, since some people seem to need
> little excuse to criticise linux, which in this case
> would be unfair? (Having said that if I keep getting
> mail I may (almost) have to post it).
You could. The bug was having it's first birthday party around
14. oct this year.
> Personally I think slackware really does have the right idea with:
> drwxrwxr-x 2 root mail 1024 Oct 24 22:44 /var/spool/mail/
Sure does.
> Thanks,
> Arny - cs6171@scitsc.wlv.ac.uk
Erlend..
- --
Erlend Midttun erlendbm@colargol.stud.idb.hist.no
IRC: Golle
http://colargol.idb.hist.no/~erlendbm/ A Linux User
PGP public key available upon finger request
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQEVAwUBMJCt0+iWtdu6znSNAQFlwwf+NHRWOV8UeOR7WtYC0bhWc4isQu0jTRpq
277q7OpQEfa2rbTTACuFegMj2866tCliGoPISjChYZjYA923hpfIAh3QHaFpavDz
Sf898w+CwLYc00g5RKTTzkZ+Up1LgVgBSPpu/aR3Avg2/wRkZGdwsUQvXswD0ptQ
RtiWm8929GScq+dF+7AGZOBpgmxc0jlvsqXNPfk4NRoD09nyr92DJlCuUvWemRDe
E0t05CU9fZylwMZLmhWv1dkTlv1ugveqcmdszqXw4WbFA5EOuzePH28mJYQimdox
YuD35CQ7r9GNTv2kYewyl2UaZUj8RJc4Egyt7wXJyj/a8qmibvsuIw==
=SN2i
-----END PGP SIGNATURE-----
