Date: Mon, 10 Jun 1996 02:53:06 -0400 (EDT) From: Brian Tao <taob@io.org> To: Dave Andersen <angio@aros.net> Cc: freebsd-security@freebsd.org Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue? Message-ID: <Pine.NEB.3.92.960610023759.1359B-100000@zap.io.org> In-Reply-To: <199606100600.AAA09517@terra.aros.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Jun 1996, Dave Andersen wrote:
>
> cat >> /var/spool/mqueue/qfAAA25106
> In order to improve the security of our system, we request that
[...]
You can do that fairly easily on any system by talking to the SMTP
port of the mail server. In this case, you're just doing the work
that sendmail normally handles for you.
> Or, get creative. You could really wreak havoc with the files that
> already existed in that directory if you felt like it. Garbaging
> people's email, appending the output of 'fortune' 500 times to your
> largest client, etc.
The queue files are created mode 600 and owned by the user who ran
sendmail.
> Leaving that directory world-writable is a bad, bad move.
It isn't readable, so you can't predict the filenames (mailq won't
work, /var/log/messages and /var/log/maillogs are not readable) and
the sticky bit is set to prevent someone from deleting another user's
file (assuming they somehow figured out a filename). I still have a
feeling that I've overlooked something...
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960610023759.1359B-100000>