non-superuser chown(2)s considered harmful
Neil Rickert
rickert at mp.cs.niu.edu
Sat Dec 15 02:07:10 AEST 1990
In article <2803 at cirrusl.UUCP> dhesi%cirrusl at oliveb.ATC.olivetti.com (Rahul Dhesi) writes:
>
>Is there a security problem if the mail spool directory is world-
>writable but its sticky bit is set?
cd /usr/spool/mail
ls dhesi
Error: dhesi not found
touch dhesi
chmod 777 dhesi
Now I own your mail box. Depending on the version of /bin/mail the
ownership may revert to you when you next receive mail. But it is
publically readable. Maybe you go around checking if your mailbox is
publically readable, but most people don't.
(This is not to mentions some other problems which I would prefer not
to publicize).
--
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
Neil W. Rickert, Computer Science <rickert at cs.niu.edu>
Northern Illinois Univ.
DeKalb, IL 60115. +1-815-753-6940
More information about the Comp.unix.internals
mailing list