[ On Monday, May 14, 2001 at 10:24:10 (+0200), Casper Dik wrote: ] > Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) > > I'm not sure why all of the Solaris mail programs are actually set-gid > mail. then you should learn! there are very good reasons for this! But don't try to learn from solaris itself -- learn from its roots! Solaris has a horribly twisted and broken local mail architecture now. > If you strip set-gid mail from /usr/bin/mail,, /usr/bin/mailx, > /usr/SUNWale/bin/mailx, /usr/dt/bin/dtmail, /usr/dt/bin/dtmailpr, > /usr/openwin/bin/mailtool nothing should break. > > (At least not if you /var/mail directory has the standard 1777 permissions) That's NOT the way SysV mail was designed to work! It was *designed* to work with setgid-mail! It was *designed* to never require root privileges in the mail delivery system and in a proper implementation it doesn't! Using 1777 permissions opens up a whole new can of worms and *requires* (at least generically) that all mailboxes be created *before* the corresponding account is created. The problem is that mailx was never really corrected in Solaris (either that or it was and then subsequent merges of new BSD code over-wrote the fixes). (mailx of course being based on the much older design of the BSD mail system, which was of coursed base on the original and insecure v7 mail system.) > By forcing a file permission of 600 on mailboxes, group mail should not > gain you anything. If you can do that then that suggests the local delivery agent is also broken and may be using root privileges! It should *NOT* (at least not for the SysV mailbox design). The idea is that a compromise of the mail subsystem, i.e. group mail, should only ever give access to just mailboxes (and not even any of the programs themselves), and nothing more, unlike the older v7 mail system where a compromise was equivalent of a total superuser compromise. Too bad modern systems went backwards in this respect and still often leave mail systems running as root. Even as far back as SysIII (i.e. 1980) there's clear evidence that the entire AT&T UNIX mail system was leaning far away from using root privileges and would work entirely with just setgid. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <woodsat_private> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 15:34:14 PDT