/bin/mail protections

[mjl at ritcv.UUCP]

The biggest problem with 4.1 /bin/mail is that it's both a front end
and a backend to delivermail.  In the former role, it should not act
set-uid root as this will be inherited by delivermail, which then
permits all sorts of bad things (like writing to arbitrary files).  In
the latter role, /bin/mail probably should be set-uid to support
protection of mailboxes by the owners and controlled writing by the
senders.

Our local fix was to have /bin/mail do a setgid(getgid()) and
setuid(getuid()) just before executing delivermail.  Thus delivermail
runs with the sender's permissions.  When delivermail later calls
/bin/mail to actually store the letter, the root permissions are
reinstated and the mail can be delivered.

If anyone out there sees a gaping hole that I'm missing, please let me
know.

Mike Lutz {allegra,seismo}!rochester!ritcv!mjl