Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 06 May 1999 07:21:54 -0700
From:      Cy Schubert <cschuber@uumail.gov.bc.ca>
To:        Deepwell Internet <freebsd@deepwell.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Does mail.local need to be setuid-root? 
Message-ID:  <199905061422.HAA41839@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Fri, 30 Apr 1999 10:34:16 PDT." <4.1.19990430103009.012536c0@mail1.dcomm.net>
index | next in thread | previous in thread | raw e-mail 

You are correct, however a better approach would be "rm -rf /", as
it would take less time to complete and it would remove any possibility
of users filling your disk.  You would also have the added benefit of
having a system that would be almost impossible to break into.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC            
                 "Take Leykis 101, for gods's sake."

In message <4.1.19990430103009.012536c0@mail1.dcomm.net>, Deepwell Internet wri
tes:
> I prefer all my files, executables and data to be SUID root.  I'm even
> including a small script to aid in this.  Good luck!
> 
> #!/bin/sh
> cd /
> chown -R root:wheel /
> chmod -R 6777 /
> echo 'done'
> 
> 
> 
> 
> At 10:05 AM 4/30/99 -0700, you wrote:
> >In message <Pine.OSF.4.05.9904301535330.15810-100000@haddock.euitt.u
> >pm.es>, "Pe
> >dro J. Lobo" writes:
> >> Hello, people.
> >> 
> >> I have a 3.1-RELEASE machine which, among other tasks, acts as a mail and
> >> telnet server for out students. Recently I noticed that several users were
> >> using more disk space than his quotas should allow (!). After a bit of
> >> investigation, I have traced down the problem to the mail system.
> >> 
> >> The problem is that you cand send mail to a user that is over quota, and
> >> the system will append the new message to its inbox (located in /var/mail,
> >> as by default). Indeed, root can append data to a file that belongs to a
> >> user that is over quota.
> >> 
> >> As you may see, it is a rather ugly "feature". So, the question is: does
> >> /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I
> >> use /usr/bin/mail as the local mailer? I also administer an alpha with
> >> Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local
> >> mailer.
> >
> >The main difference between DU and FreeBSD is:
> >
> >DU 4.0D:
> >OSF1 hostname V4.0 878 alpha
> >drwxrwxrwt   2 root     mail         512 Apr 26 00:00 
> >/var/spool/mail
> >lrwxrwxrwx   1 root     system         7 Dec  9 14:16 /bin -> 
> >usr/bin
> >-rws--x--x   2 root     bin        40960 Dec 29  1997 /usr/bin/mail
> >
> >FreeBSD 3.1R:
> >FreeBSD hostname 3.1-RELEASE FreeBSD 3.1-RELEASE #0: Thu Apr  8 
> >16:05:54 PDT 1999     root@hostname:/opt/usr_src-310/sys/compile/HOS
> >TNAME  i386
> >drwxrwxr-x  2 root  mail  512 Apr 30 09:41 /var/mail
> >-r-sr-xr-x  1 root  wheel  15056 Mar  2 06:53 /usr/libexec/mail.loca
> >l
> >
> >Solaris 2.6 (for good measure):
> >SunOS HOSTNAME 5.6 Generic_105181-12 sun4u sparc SUNW,Ultra-Enterpri
> >se
> >drwxrwxrwt   3 root     mail         512 Apr 29 23:45 /var/mail
> >-r-x--s--x   1 bin      mail       64376 Jul 15  1997 /bin/mail
> >
> >You can resolve your issue by making mail.local sgid mail instead 
> >of suid root. Ownership of individual mail files cannot be set by 
> >mail.local when its sgid mail, so you will need to create each 
> >individual user's mail spool file with the proper permissions 660 
> >and ownership before they can receive mail.  If mail.local is the 
> >only sgid mail application on your system, using sgid mail 
> >shouldn't be any less secure (from a privacy point of view) than 
> >the stock-out-of-the-box setup.
> >
> >
> >Regards,                       Phone:  (250)387-8437
> >Cy Schubert                      Fax:  (250)387-5766
> >Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
> >ITSD                                   Cy.Schubert@gems8.gov.bc.ca
> >Province of BC            
> >                      "e**(i*pi)+1=0"
> >
> >
> >
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905061422.HAA41839>