Aaron Stone wrote: > None of the binaries are setuid/setgid, so there's no risk of running code > at a privilege level different than any other code that the logged-in user > is allowed to run. > > You do make a good point that a sysadmin should be aware of -- a user > could install a "trojan module" which provides entry points for the > functions that the dbmail-*'s expect, but runs nefarious code. A sysadmin > should not, then, 'cd ~eviluser ; dbmail-lalala' because you might get > hosed.
Yes, true, but I think a little understated in severity. If you are running dbmail-users or dbmail-util, you have to have enough privilege to read the dbmail.conf file since it contains the authentication for the database. And since it contains this authentication, it will normally be 0640 or something similar. Let's say, just for example it's 0640 owner=root, group=dbmail. I'm part of the dbmail group. I cd /tmp and have been doing random cleanup then I notice that some form of maintenance (add user for example) needs to be done. Someone implants a /tmp/modules/.libs/libmysql.so for example, providing the same hooks as libmysql.so, and then some extra treachery. If they were very crafty, the module would do it's work, dispatch to the real libmysql.so, and remove itself from the filesystem so that it would no longer be detectable after it's dirty deed is done. (How many people examine the contents of /tmp before executing programs; if you even remember that's where your cwd is?) So, in this case, they could have trashed my personal account, and gotten access to anything that group dbmail could read or write. This would include the login and password for the dbmail database, which would let them modify data on the mail store with impunity. And they could create forwards that would execute programs - which would give them another attack vector. While it is not as serious issue (as for example having root compromised), losing everything in your personal account and all your dbmail tables would not make for a good start to your pager going off at 7AM one day. I see this comparable to creating a linux distro with all users having "." in the path and then saying "Oh, by the way, be careful or you might get hosed" :) _______________________________________________ Dbmail-dev mailing list [email protected] http://twister.fastxs.net/mailman/listinfo/dbmail-dev
