From owner-freebsd-security  Sun Jun  9 23:01:04 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA15165
          for security-outgoing; Sun, 9 Jun 1996 23:01:04 -0700 (PDT)
Received: from mailhub.aros.net (mailhub.aros.net [205.164.111.17])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA15136
          for <freebsd-security@freebsd.org>; Sun, 9 Jun 1996 23:01:00 -0700 (PDT)
Received: from terra.aros.net (terra.aros.net [205.164.111.10]) by mailhub.aros.net (8.7.5/Unknown) with ESMTP id AAA14623; Mon, 10 Jun 1996 00:37:48 -0600 (MDT)
Received: (from angio@localhost) by terra.aros.net (8.7.5/8.6.12) id AAA09517; Mon, 10 Jun 1996 00:00:57 -0600
From: Dave Andersen <angio@aros.net>
Message-Id: <199606100600.AAA09517@terra.aros.net>
Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue?
To: taob@io.org (Brian Tao)
Date: Mon, 10 Jun 1996 00:00:56 -0600 (MDT)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.NEB.3.92.960609232322.23792E-100000@zap.io.org> from "Brian Tao" at Jun 9, 96 11:26:16 pm
X-Mailer: ELM [version 2.4 PL25 PGP2]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Lo and behold, Brian Tao once said:

>     True enough, but since /tmp already puts the server in that
> position, I'm not overly worried about someone pulling this kind of
> stunt.  At least the file will have their username stamped on it.  :)
> OTOH, a more creative user could write a script that fills the
> directory with symlinks, exhaust all the inodes *and* not leave behind
> any telltale pointers to his identity.  :(

cat >> /var/spool/mqueue/qfAAA25106
In order to improve the security of our system, we request that
you change your password to 'gf55%asdf'.  This has been
dynamically generated by a secure password generating program.
This is an automatic email.  Please change your password within
two days or your account will be disabled.
<eof>

cat >> /var/spool/mqueue/dfAAA25106
<create a spool file here, and direct it to your favorite batch of
users>
<eof>

   Or, get creative.  You could really wreak havoc with the files that 
already existed in that directory if you felt like it.  Garbaging 
people's email, appending the output of 'fortune' 500 times to your 
largest client, etc.

   Leaving that directory world-writable is a bad, bad move.

    -Dave Andersen

-- 
angio@aros.net                Complete virtual hosting and business-oriented
system administration         Internet services.  (WWW, FTP, email)
http://www.aros.net/          http://www.aros.net/about/virtual
  "There are only two industries that refer to thier customers as 'users'."