[20636] in bugtraq
Re: Solaris /usr/bin/mailx exploit (SPARC)
daemon@ATHENA.MIT.EDU (Andrew Hilborne)
Tue May 15 15:29:11 2001
To: Casper Dik <Casper.Dik@Sun.COM>
Cc: bugtraq@securityfocus.com, vuldb@securityfocus.com
From: Andrew Hilborne <andrew.hilborne@uk.xo.com>
Date: 15 May 2001 14:15:45 +0100
In-Reply-To: Casper Dik's message of "Mon, 14 May 2001 10:24:10 +0200"
Message-ID: <uag0e692im.fsf@sapphire.noc.gxn.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Casper Dik <Casper.Dik@Sun.COM> writes:
> I'm not sure why all of the Solaris mail programs are actually set-gid
> mail.
>
> If you strip set-gid mail from /usr/bin/mail,, /usr/bin/mailx,
> /usr/SUNWale/bin/mailx, /usr/dt/bin/dtmail, /usr/dt/bin/dtmailpr,
> /usr/openwin/bin/mailtool nothing should break.
>
> (At least not if you /var/mail directory has the standard 1777 permissions)
>
> By forcing a file permission of 600 on mailboxes, group mail should not
> gain you anything.
Just how do you force 0600 on mailboxes which don't exist (many MUAs remove
empty mailboxes?)
Since you cannot easily do this, at the very least a malicious user should be
able to steal other users' mail. I think.
--
Andrew Hilborne
