[20639] in bugtraq
Re: Solaris /usr/bin/mailx exploit (SPARC)
daemon@ATHENA.MIT.EDU (Dan Astoorian)
Tue May 15 18:51:41 2001
To: Casper Dik <Casper.Dik@Sun.COM>
Cc: bugtraq@securityfocus.com, vuldb@securityfocus.com
In-reply-to: Your message of "Mon, 14 May 2001 04:24:10 EDT."
<200105140824.KAA08664@romulus.Holland.Sun.COM>
Date: Tue, 15 May 2001 09:29:37 -0400
From: Dan Astoorian <djast@cs.toronto.edu>
Message-Id: <01May15.092939edt.453155-19457@jane.cs.toronto.edu>
On Mon, 14 May 2001 04:24:10 EDT, Casper Dik writes:
>
> By forcing a file permission of 600 on mailboxes, group mail should not
> gain you anything.
Under some older Solaris releases (e.g., including 2.5.1), the /etc/mail
directory belongs to group mail and is group-writable, by default;
that'll gain you plenty.
Sun has fixed this in recent releases, but if you're running a backrev
OS, it would be wise to "chmod g-w /etc/mail" (or remove the setgid bit
from all utilities in group mail).
/var/mail/:saved is also writable by group mail by default--even under
Solaris 8. (/bin/[r]mail allegedly uses this directory "for holding
temp files to prevent loss of data in the event of a system crash"; does
it do so safely, or might gaining gid-mail open up symlink attacks?)
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast@cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
