[2878] in bugtraq
Re: BoS: Re: Solaris mailx hole
daemon@ATHENA.MIT.EDU (Travis Hassloch x231)
Tue Jul 2 15:31:04 1996
Date: Tue, 2 Jul 1996 14:10:28 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Travis Hassloch x231 <travis@EvTech.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Tue, 02 Jul 1996 01:08:49 EDT."
<Pine.SUN.3.91.960702005934.18788A-100000@bigdog.fred.net>
In message <Pine.SUN.3.91.960702005934.18788A-100000@bigdog.fred.net> you write
:
> echo "localhost $USER" | /bin/mail $TARGET
This line should be preceeded somewhere in the script by a line
which sets $USER:
USER=`whoami`
> 2. We have considered several potential workarounds for this
> vulnerability. The ideal fix would be to remove global write
> access to the mail spool directory. However, this is not
> possible as programs such as /bin/mail, /usr/ucb/Mail and
> elm require everyone to have write access. Also it is not
or to be sgid-mail.
> possible to, for example, change the group ownership of
> /var/spool/mail to mail and give /bin/mail and /usr/ucb/Mail
> setgid mail privilege, as they do not reset their group id
> before forking a shell.
Unless you have sources and can fix them.
> i. Ensure that every user maintains a mailbox file. The
> following program will create a mailbox for every user
> on the system, if one does not currently exist.
Would it also suffice to have an alias for each such user?
