[ On Tuesday, May 15, 2001 at 13:46:23 (+0200), Johann Klasek wrote: ]
> Subject: Re: Solaris /usr/bin/mailx exploit (SPARC)
>
> To correct slightly the picture of a set-gid mail environment:
>
> set-gid has nothing to do with writing the inbox. It was in old days
> (without todays 1000 permission) the only method to allow mail clients
> the creation of .lock files and the inbox file itself in
> /var/spool/mail. It was never necessary to let the inbox writeable for
> group "mail" (of course, probably not true in very old System 7
> environments). Therefore, a 600 permission does NOT implicate an
> unnecessary group mail setup. The delivery into a mailbox is
> accomplished with user (inbox owner) permission (derived from the set-
> uid root MTA).
To correct that mis-information:
V7 used setuid-root /bin/mail for delivery (it was insecure)
A correct implementation of SysV mail with setgid-mail does
indeed require that mailboxes be writable by the group mail.
The system mailbox spool directory must not be world writable.
SysV mail is designed to eliminate *ALL* need for setuid-root!
By now you might have realised that SysV mail requires chown() to be
usable by non-root. If so then you're right. It's not compatible with
naive filesystem-based quotas. Pick one: a) root compromises, or b)
quotas. Actually, you don't have to -- you can implement mailbox quotas
in the mail delivery agent and you can put your mailbox directory on a
separate filesystem such that you don't have to use FS quotas there.
BSD's setuid-root mail subsystem is stupidly insecure, but many of us
do live with its risks every day..... :-(
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
