From owner-freebsd-security  Sat Apr 13 16: 8:21 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id AFDEC37B404
	for <security@FreeBSD.ORG>; Sat, 13 Apr 2002 16:08:16 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id RAA13244;
	Sat, 13 Apr 2002 17:07:44 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020413170619.00b18ef0@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sat, 13 Apr 2002 17:07:39 -0600
To: "Charles M. Richmond" <cmr@iisc.com>, security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: [Corrected message] This OpenBSD local root hole may
  affect some FreeBSD systems 
In-Reply-To: <200204131826.OAA26250@koibito.iisc.com>
References: <Your message of "Sat, 13 Apr 2002 10:06:29 PDT." <200204131706.g3DH6T117776@mikko.rsa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 12:26 PM 4/13/2002, Charles M. Richmond wrote:

>So yes the BSD mailx/mail has the bug. Also I do not see a bug 
>report on sunsolve.sun.com. On the otherhand it appears that the 
>tilde command is not operating with the effective UID but with the
>actual UID. Even though mailx is SGID mail and the root maibox is 
>group readable for mail:
>
>ls -l /var/mail
>total 18
>drwxrwxr-x   2 root     mail         512 Oct 25 08:34 :saved
>-rw-rw----   1 cmr      mail         318 Apr 13 14:04 cmr
>-rw-rw----   1 root     mail        7090 Mar 28 03:10 root
>
>amaterasu% echo "~\!cat /var/mail/root" | mailx cmr 
>cat: cannot open /var/mail/root
>!
>No message !?!
>
>
>Does this mitigate the problem sufficiently?

Not if the process invoking mail really is running as root,
as a periodic maintenance script would.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message