From owner-freebsd-security Sun Jun 9 23:54:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA07301 for security-outgoing; Sun, 9 Jun 1996 23:54:10 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA07284 for ; Sun, 9 Jun 1996 23:54:07 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id CAA19447; Mon, 10 Jun 1996 02:53:01 -0400 (EDT) Date: Mon, 10 Jun 1996 02:53:06 -0400 (EDT) From: Brian Tao To: Dave Andersen cc: freebsd-security@freebsd.org Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue? In-Reply-To: <199606100600.AAA09517@terra.aros.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 10 Jun 1996, Dave Andersen wrote: > > cat >> /var/spool/mqueue/qfAAA25106 > In order to improve the security of our system, we request that [...] You can do that fairly easily on any system by talking to the SMTP port of the mail server. In this case, you're just doing the work that sendmail normally handles for you. > Or, get creative. You could really wreak havoc with the files that > already existed in that directory if you felt like it. Garbaging > people's email, appending the output of 'fortune' 500 times to your > largest client, etc. The queue files are created mode 600 and owned by the user who ran sendmail. > Leaving that directory world-writable is a bad, bad move. It isn't readable, so you can't predict the filenames (mailq won't work, /var/log/messages and /var/log/maillogs are not readable) and the sticky bit is set to prevent someone from deleting another user's file (assuming they somehow figured out a filename). I still have a feeling that I've overlooked something... -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"