/bin/mail
dbj.rice%rand-relay at sri-unix.UUCP
dbj.rice%rand-relay at sri-unix.UUCP
Wed Jun 15 15:28:57 AEST 1983
From: Dave Johnson <dbj.rice at rand-relay>
We noticed the "gaping security hole" in /bin/mail here at Rice and found a
simple to fix the problem (actually, Bill LeFebvre here found the solution).
Make /bin/mail do a setuid(getuid()) after forking a subprocess but before
execing /etc/delivermail. Delivermail is actually the one that mails to
files and it doesn't expect to be a setuid program. It thus doesn't check
for access() to write on the file, but merely does it and lets it fail if it
will. /bin/mail IS supposed to be setuid to root, but delivermail IS NOT.
The setuid(getuid()) in /bin/mail sets the effective uid back to the real
uid, undoing the effect of /bin/mail being a setuid program before running
delivermail.
More information about the Comp.unix.wizards
mailing list