From owner-freebsd-security  Sun Jun  9 22:12:26 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id WAA26479
          for security-outgoing; Sun, 9 Jun 1996 22:12:26 -0700 (PDT)
Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id WAA26454
          for <freebsd-security@freebsd.org>; Sun, 9 Jun 1996 22:12:21 -0700 (PDT)
Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.6.12/8.6.12) id WAA15320; Sun, 9 Jun 1996 22:12:05 -0700
From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Message-Id: <199606100512.WAA15320@GndRsh.aac.dev.com>
Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue?
To: taob@io.org (Brian Tao)
Date: Sun, 9 Jun 1996 22:12:05 -0700 (PDT)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.NEB.3.92.960609232322.23792E-100000@zap.io.org> from Brian Tao at "Jun 9, 96 11:26:16 pm"
X-Mailer: ELM [version 2.4ME+ PL11 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> On Sun, 9 Jun 1996, Rodney W. Grimes wrote:
> >
> > Denial of service attack:
> > cat /dev/zero >/var/spool/mqueue/onebigwhole bs=32b
> >
> > world writable directories are a bigger problem, IMHO, than a suid
> > sendmail.
> 
>     True enough, but since /tmp already puts the server in that
> position, I'm not overly worried about someone pulling this kind of
> stunt.  At least the file will have their username stamped on it.  :)

On mail hub servers I usually make /tmp and /var/tmp a seperate partition
to avoid this denial of service attack, makeing /var/spool/mqueue 1733
would open it back up :-(.

It is impossible to totally close, as the user can mail himself or someone
else a large file, or lots of smaller files :-(.

> OTOH, a more creative user could write a script that fills the
> directory with symlinks, exhaust all the inodes *and* not leave behind
> any telltale pointers to his identity.  :(

:-), yea, there are just too many ways to do this :-(


-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                 Reliable computers for FreeBSD