deceptive mail
Dave Cohrs
dave at uwvax.UUCP
Sun Nov 11 01:36:33 AEST 1984
> Somebody here noticed the following "feature" of mail (4.2 BSD). Under
> certain conditions, a user "xyzu" can do a "set user=abcd" and send mail
> to user "pqrs". To "pqrs" it appears that "abcd" sent the mail (xyzu <>
> abcd). This could cause misunderstandings or such if "xyzu" were malicious.
> Is this a feature or a bug? Thanks.
I think this is the product of a bug and a "feature". The bug is in /bin/mail
and a bad fix in the same. It seems that /bin/mail would through mail
from uucp on the floor under certain circumstances. The fix was to take
out all checking for the sender and just believe whatever /bin/mail was told.
Not a good policy as far as I'm concerned. The feature is that mail loves
to look at silly things like getlogin() and $USER instead of more valid
things like getpwuid(getuid()) for the username. These two combined cause
mail to make bogus 'From' lines.
The real fix is in /bin/mail -- get rid of the bad fix and do getpwuid()s
instead of getlogin()s to find the username. While you're at it, you
might want to do this to ucb/mail and sendmail too. I guess this isn't the
most popular way of handling mail senders, but I find it the most reliable --
I tend to like my mail coming from whomever the person is currently, not who
they logged in as!
--
(Bug? What bug? That's a feature!)
Dave Cohrs
...!{allegra,heurikon,ihnp4,seismo,uwm-evax}!uwvax!dave
dave at wisc-rsch.arpa
More information about the Comp.unix.wizards
mailing list