From owner-freebsd-security Sun Jun 9 20:28:46 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA12627 for security-outgoing; Sun, 9 Jun 1996 20:28:46 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA12589 for ; Sun, 9 Jun 1996 20:28:39 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by who.cdrom.com (8.6.12/8.6.11) with ESMTP id UAA13887 for ; Sun, 9 Jun 1996 20:28:38 -0700 Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id XAA18005; Sun, 9 Jun 1996 23:26:11 -0400 (EDT) Date: Sun, 9 Jun 1996 23:26:16 -0400 (EDT) From: Brian Tao To: "Rodney W. Grimes" cc: freebsd-security@freebsd.org Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue? In-Reply-To: <199606100300.UAA15048@GndRsh.aac.dev.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 9 Jun 1996, Rodney W. Grimes wrote: > > Denial of service attack: > cat /dev/zero >/var/spool/mqueue/onebigwhole bs=32b > > world writable directories are a bigger problem, IMHO, than a suid > sendmail. True enough, but since /tmp already puts the server in that position, I'm not overly worried about someone pulling this kind of stunt. At least the file will have their username stamped on it. :) OTOH, a more creative user could write a script that fills the directory with symlinks, exhaust all the inodes *and* not leave behind any telltale pointers to his identity. :( -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"