Re: Mail delivery privileges

From: Peter W (peterwat_private)
Date: Fri May 18 2001 - 18:04:37 PDT

Next message: Dan Stromberg: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"

Previous message: Wietse Venema: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
In reply to: Greg A. Woods: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Reply: Henrik Nordstrom: "Re: Mail delivery privileges"
Reply: David Wagner: "Re: Mail delivery privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 18, 2001 at 04:35:08PM -0400, Greg A. Woods wrote:

> [ On Friday, May 18, 2001 at 11:18:51 (-0400), Wietse Venema wrote: ]

> > 3 - User-specified shell commands. Traditionally, a user can specify
> > any shell command in ~user/.forward, and that command will execute
> > with the privileges of that user.

> Personally I'm loathe to allow ordinary users to specify delivery to
> programs in the first place, and forcing them at minimum to arrange for
> their mail filters to run unprivileged seems like a very small price

> That's certainly the way it works on Plan 9:

>        If  the file /mail/box/username/pipeto exists and is read-
>        able and executable by everyone, it will be run  for  each
>        incoming  message for the user.  The message will be piped
>        to it rather than appended to his/her mail box.  The  file
>        is run as user `none'.

So users with "pipeto" scripts are vulnerable to other users' "pipeto"
scripts, since they all run as the same user. "Mutual Assured Corruption" 
you might say. I think that sounds like a *large* price to pay!

> Note that there are solutions to the filtering issue which do not
> require the final destination of filtered messages to be an inbox that's
> writable by the unprivileged user (eg. just pass them back to the mail
> system for re-delivery to a new mailbox).

Your earlier post assumed that users didn't want to use ~/.forward to
specify custom actions. Now you're assuming all the user wants to do
is "filter" the mail, i.e., decide which mailbox to put it in. But
users want to do more with their mail than simply "filter" it.

To protect users from each others' ~/.forward instructions, it is necessary,
as Wietse said, for the delivery agent to start with superuser privileges.
There are ways to make things a little bit safer, e.g. have the delivery
agent drop privileges to nobody:bobpipe (where only bob is a member of 
bobpipe) instead of bob:users when running the ~/.forward command, but that
only protects bob from his own mistakes in ~/.forward and still leaves
the delivery agent starting out with superuser privs...

-Peter

Next message: Dan Stromberg: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Previous message: Wietse Venema: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
In reply to: Greg A. Woods: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Reply: Henrik Nordstrom: "Re: Mail delivery privileges"
Reply: David Wagner: "Re: Mail delivery privileges"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 19 2001 - 12:38:18 PDT