[ On Tuesday, May 15, 2001 at 13:46:23 (+0200), Johann Klasek wrote: ] > Subject: Re: Solaris /usr/bin/mailx exploit (SPARC) > > To correct slightly the picture of a set-gid mail environment: > > set-gid has nothing to do with writing the inbox. It was in old days > (without todays 1000 permission) the only method to allow mail clients > the creation of .lock files and the inbox file itself in > /var/spool/mail. It was never necessary to let the inbox writeable for > group "mail" (of course, probably not true in very old System 7 > environments). Therefore, a 600 permission does NOT implicate an > unnecessary group mail setup. The delivery into a mailbox is > accomplished with user (inbox owner) permission (derived from the set- > uid root MTA). To correct that mis-information: V7 used setuid-root /bin/mail for delivery (it was insecure) A correct implementation of SysV mail with setgid-mail does indeed require that mailboxes be writable by the group mail. The system mailbox spool directory must not be world writable. SysV mail is designed to eliminate *ALL* need for setuid-root! By now you might have realised that SysV mail requires chown() to be usable by non-root. If so then you're right. It's not compatible with naive filesystem-based quotas. Pick one: a) root compromises, or b) quotas. Actually, you don't have to -- you can implement mailbox quotas in the mail delivery agent and you can put your mailbox directory on a separate filesystem such that you don't have to use FS quotas there. BSD's setuid-root mail subsystem is stupidly insecure, but many of us do live with its risks every day..... :-( -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <woodsat_private> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private>
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 01:53:10 PDT