Date: Mon, 10 Jun 1996 00:00:56 -0600 (MDT) From: Dave Andersen <angio@aros.net> To: taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue? Message-ID: <199606100600.AAA09517@terra.aros.net> In-Reply-To: <Pine.NEB.3.92.960609232322.23792E-100000@zap.io.org> from "Brian Tao" at Jun 9, 96 11:26:16 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Brian Tao once said:
> True enough, but since /tmp already puts the server in that
> position, I'm not overly worried about someone pulling this kind of
> stunt. At least the file will have their username stamped on it. :)
> OTOH, a more creative user could write a script that fills the
> directory with symlinks, exhaust all the inodes *and* not leave behind
> any telltale pointers to his identity. :(
cat >> /var/spool/mqueue/qfAAA25106
In order to improve the security of our system, we request that
you change your password to 'gf55%asdf'. This has been
dynamically generated by a secure password generating program.
This is an automatic email. Please change your password within
two days or your account will be disabled.
<eof>
cat >> /var/spool/mqueue/dfAAA25106
<create a spool file here, and direct it to your favorite batch of
users>
<eof>
Or, get creative. You could really wreak havoc with the files that
already existed in that directory if you felt like it. Garbaging
people's email, appending the output of 'fortune' 500 times to your
largest client, etc.
Leaving that directory world-writable is a bad, bad move.
-Dave Andersen
--
angio@aros.net Complete virtual hosting and business-oriented
system administration Internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual
"There are only two industries that refer to thier customers as 'users'."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606100600.AAA09517>