On Fri, May 18, 2001 at 04:35:08PM -0400, Greg A. Woods wrote: > [ On Friday, May 18, 2001 at 11:18:51 (-0400), Wietse Venema wrote: ] > > 3 - User-specified shell commands. Traditionally, a user can specify > > any shell command in ~user/.forward, and that command will execute > > with the privileges of that user. > Personally I'm loathe to allow ordinary users to specify delivery to > programs in the first place, and forcing them at minimum to arrange for > their mail filters to run unprivileged seems like a very small price > That's certainly the way it works on Plan 9: > If the file /mail/box/username/pipeto exists and is read- > able and executable by everyone, it will be run for each > incoming message for the user. The message will be piped > to it rather than appended to his/her mail box. The file > is run as user `none'. So users with "pipeto" scripts are vulnerable to other users' "pipeto" scripts, since they all run as the same user. "Mutual Assured Corruption" you might say. I think that sounds like a *large* price to pay! > Note that there are solutions to the filtering issue which do not > require the final destination of filtered messages to be an inbox that's > writable by the unprivileged user (eg. just pass them back to the mail > system for re-delivery to a new mailbox). Your earlier post assumed that users didn't want to use ~/.forward to specify custom actions. Now you're assuming all the user wants to do is "filter" the mail, i.e., decide which mailbox to put it in. But users want to do more with their mail than simply "filter" it. To protect users from each others' ~/.forward instructions, it is necessary, as Wietse said, for the delivery agent to start with superuser privileges. There are ways to make things a little bit safer, e.g. have the delivery agent drop privileges to nobody:bobpipe (where only bob is a member of bobpipe) instead of bob:users when running the ~/.forward command, but that only protects bob from his own mistakes in ~/.forward and still leaves the delivery agent starting out with superuser privs... -Peter
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 12:38:18 PDT