From owner-freebsd-security  Fri Apr 30  8:28:15 1999
Delivered-To: freebsd-security@freebsd.org
Received: from haddock.euitt.upm.es (haddock.euitt.upm.es [138.100.52.102])
	by hub.freebsd.org (Postfix) with ESMTP id EC62E14F69
	for <freebsd-security@FreeBSD.ORG>; Fri, 30 Apr 1999 08:27:57 -0700 (PDT)
	(envelope-from pjlobo@euitt.upm.es)
Received: from localhost (pjlobo@localhost)
	by haddock.euitt.upm.es (8.8.8/8.8.5) with ESMTP id RAA17565;
	Fri, 30 Apr 1999 17:24:52 +0200 (MET DST)
Date: Fri, 30 Apr 1999 17:24:51 +0200 (MET DST)
From: "Pedro J. Lobo" <pjlobo@euitt.upm.es>
To: Fernando Schapachnik <fpscha@ns1.sminter.com.ar>
Cc: robert+freebsd@cyrus.watson.org, freebsd-security@FreeBSD.ORG
Subject: Re: Does mail.local need to be setuid-root?
In-Reply-To: <199904301437.LAA09081@ns1.sminter.com.ar>
Message-ID: <Pine.OSF.4.05.9904301716240.17463-100000@haddock.euitt.upm.es>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 30 Apr 1999, Fernando Schapachnik wrote:

>En un mensaje anterior, Robert Watson escribió:
>> On Fri, 30 Apr 1999, Pedro J. Lobo wrote:
>> 
>> > As you may see, it is a rather ugly "feature". So, the question is: does
>> > /usr/libexec/mail.local need to be setuid root? Or, alternatively, can I
>> > use /usr/bin/mail as the local mailer? I also administer an alpha with
>> > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the local
>> > mailer.
>
>You can use procmail with doesn't need suid.

Maybe I give it a try. In the meantime, I've done a few more tests, and I
don't like too much what I've seen.

I have looked at the mail.local code, and it does a seteuid(2) to the
recipient's UID. So, why does the system allow it to write over quota?

I've written a small test program, and have found this: if you seteuid()
and open a file for writing, write() or fwrite() calls will fail (that is,
if the effective user is over quota). But, if you open the file, and call
seteuid() when the file is already open, then you can write as much data
as you want. As mail.local does this (first opens the user's mailbox, then
seteuid()'s), the quotas are ignored.

I think this is a bug, and that quotas should be checked (and applied)
every time you call write() or fwrite() or whatever. Opinions?

	Pedro.

-- 
-------------------------------------------------------------------
Pedro José Lobo Perea                   Tel:    +34 91 336 78 19
Centro de Cálculo                       Fax:    +34 91 331 92 29
E.U.I.T. Telecomunicación               e-mail: pjlobo@euitt.upm.es
Universidad Politécnica de Madrid
Ctra. de Valencia, Km. 7                E-28031 Madrid - España / Spain



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message