Re: Solaris /usr/bin/mailx exploit (SPARC)

From: Greg A. Woods (woodsat_private)
Date: Tue May 15 2001 - 10:09:21 PDT

Next message: Dan Astoorian: "Re: Solaris /usr/bin/mailx exploit (SPARC)"

Previous message: psheepat_private: "Sendfile daemon bugs"
In reply to: Casper Dik: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Next in thread: Dan Astoorian: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Next in thread: Andrew Hilborne: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ On Monday, May 14, 2001 at 10:24:10 (+0200), Casper Dik wrote: ]
> Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) 
>
> I'm not sure why all of the Solaris mail programs are actually set-gid 
> mail.

then you should learn!  there are very good reasons for this!

But don't try to learn from solaris itself -- learn from its roots!
Solaris has a horribly twisted and broken local mail architecture now.

> If you strip set-gid mail from /usr/bin/mail,, /usr/bin/mailx, 
> /usr/SUNWale/bin/mailx, /usr/dt/bin/dtmail, /usr/dt/bin/dtmailpr,
> /usr/openwin/bin/mailtool nothing should break.
> 
> (At least not if you /var/mail directory has the standard 1777 permissions)

That's NOT the way SysV mail was designed to work!

It was *designed* to work with setgid-mail!  It was *designed* to never
require root privileges in the mail delivery system and in a proper
implementation it doesn't!

Using 1777 permissions opens up a whole new can of worms and *requires*
(at least generically) that all mailboxes be created *before* the
corresponding account is created.

The problem is that mailx was never really corrected in Solaris (either
that or it was and then subsequent merges of new BSD code over-wrote the
fixes).  (mailx of course being based on the much older design of the
BSD mail system, which was of coursed base on the original and insecure
v7 mail system.)

> By forcing a file permission of 600 on mailboxes, group mail should not
> gain you anything.

If you can do that then that suggests the local delivery agent is also
broken and may be using root privileges!  It should *NOT* (at least not
for the SysV mailbox design).

The idea is that a compromise of the mail subsystem, i.e. group mail,
should only ever give access to just mailboxes (and not even any of the
programs themselves), and nothing more, unlike the older v7 mail system
where a compromise was equivalent of a total superuser compromise.  Too
bad modern systems went backwards in this respect and still often leave
mail systems running as root.

Even as far back as SysIII (i.e. 1980) there's clear evidence that the
entire AT&T UNIX mail system was leaning far away from using root
privileges and would work entirely with just setgid.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoodsat_private>     <woodsat_private>
Planix, Inc. <woodsat_private>;   Secrets of the Weird <woodsat_private>

Next message: Dan Astoorian: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Previous message: psheepat_private: "Sendfile daemon bugs"
In reply to: Casper Dik: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Next in thread: Dan Astoorian: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Next in thread: Andrew Hilborne: "Re: Solaris /usr/bin/mailx exploit (SPARC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 15:34:14 PDT