Date: Sun, 9 Jun 1996 22:12:05 -0700 (PDT) From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> To: taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue? Message-ID: <199606100512.WAA15320@GndRsh.aac.dev.com> In-Reply-To: <Pine.NEB.3.92.960609232322.23792E-100000@zap.io.org> from Brian Tao at "Jun 9, 96 11:26:16 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, 9 Jun 1996, Rodney W. Grimes wrote: > > > > Denial of service attack: > > cat /dev/zero >/var/spool/mqueue/onebigwhole bs=32b > > > > world writable directories are a bigger problem, IMHO, than a suid > > sendmail. > > True enough, but since /tmp already puts the server in that > position, I'm not overly worried about someone pulling this kind of > stunt. At least the file will have their username stamped on it. :) On mail hub servers I usually make /tmp and /var/tmp a seperate partition to avoid this denial of service attack, makeing /var/spool/mqueue 1733 would open it back up :-(. It is impossible to totally close, as the user can mail himself or someone else a large file, or lots of smaller files :-(. > OTOH, a more creative user could write a script that fills the > directory with symlinks, exhaust all the inodes *and* not leave behind > any telltale pointers to his identity. :( :-), yea, there are just too many ways to do this :-( -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation Company Reliable computers for FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606100512.WAA15320>