David Wagner wrote: >Peter W wrote: >>To protect users from each others' ~/.forward instructions, it is necessary, >>as Wietse said, for the delivery agent to start with superuser privileges. > >[...] Imagine: ~/.forward-program could be a >setuid executable, owned by the user, and a non-root delivery >agent could exec() the relevant ~/.forward-program. [...] What am I missing? Many folks responsed privately (thanks, all!). Here's a summary. - It doesn't work if home directories are on a partition mounted nosetuid. (Fix: Put the .forward-program elsewhere.) - You have to be very careful when writing a setuid ~/.forward-program. (Agreed.) - Writeable home directories are very dangerous. (Agreed.) - A more problematic issue is that a malicious user can gain access to the uid that the delivery agent runs under by calling setuid(2) or by simply stripping the setuid bit off of their ~/.forward-program. (Uh oh...) I must admit that I had not anticipated this last attack, which is a very serious threat. It seems to me that it might be possible to defend against this attack, if the appropriate mail delivery agent runs under a 'nobody'-like uid with absolutely no privileges. However, this may be tricky to configure safely, and the fact that I overlooked one subtle attack leaves some reason to be concerned that there may be other even more subtle attacks lurking in the shadows. I think we can say that it might be possible to make my proposal work, but the details appear to be non-trivial. Thanks to Peter W., Greg Woods, Chris Siebenmann, Emmanuel Galanos, Steve Bellovin, Henrik Nordstrom, and Roman Werpachowski for comments.
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 13:31:27 PDT