[20712] in bugtraq
Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri May 18 22:31:38 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: woods@weird.com (Greg A. Woods)
Cc: wietse@porcupine.org (Wietse Venema), bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 18 May 2001 21:04:33 -0400
Message-Id: <20010519010434.5D6A27B84@berkshire.research.att.com>
In message <20010518203508.DCF0EC3@proven.weird.com>, Greg A. Woods writes:
>Personally I'm loathe to allow ordinary users to specify delivery to
>programs in the first place, and forcing them at minimum to arrange for
>their mail filters to run unprivileged seems like a very small price to
>pay. I seem to recall this was the solution taken by the AT&T UPAS
>mailer delivered as the default mailer on native UNIX System V Release 4.
>That's certainly the way it works on Plan 9:
>
> Filtering
> If the file /mail/box/username/pipeto exists and is read-
> able and executable by everyone, it will be run for each
> incoming message for the user. The message will be piped
> to it rather than appended to his/her mail box. The file
> is run as user `none'.
That's more an artifact of Plan 9 than of upas -- upas on Unix did
support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I
recall) of superuser, so it can't do that. And while there are
certainly security issues with delivery to programs (that's why
sendmail had to implement smrsh), not having write ability to per-user
files causes problems for programs like 'vacation'.
--Steve Bellovin, http://www.research.att.com/~smb
