karl@osu-eddie.UUCP (02/18/87)
The posting of smail 2.3 has a large security hole in mail delivery
with regard to the use of ~/.forward files. This is a feature which I
initially added (rather badly, to be honest) and which Larry Auton saw
fit to include in 2.3 in a much better way. However, his checks for
the condition of ~/.forward are inadequate.
The code is this:
/*
** check for ~user/.forward file
** must be a regular, readable file
*/
sprintf(buf, "%s/%s", home, ".forward");
if((stat(buf, &st) >= 0)
&&((st.st_mode & S_IFMT) == S_IFREG)
&&((fp = fopen(buf, "r")) != NULL)) {
aliased = 0;
while(fgets(buf, sizeof buf, fp)) {
aliased |= recipients(addr, buf);
}
fclose(fp);
if(aliased) {
continue;
}
}
This is not sufficiently careful. It has not checked for things like
.forward being writable a non-owner of the file, a transparent
security hole. I also recommend that checks be done on the home
directory to see that it, too, is writable only by the owner, lest
some cracker "give" you a .forward file, and suddenly you stop getting
mail without knowing why.
--
Karllevy@ttrdc.UUCP (02/22/87)
In article <3150@osu-eddie.UUCP>, karl@osu-eddie.UUCP writes: >The posting of smail 2.3 has a large security hole in mail delivery >with regard to the use of ~/.forward files. > >[code] > >This is not sufficiently careful. It has not checked for things like >.forward being writable a non-owner of the file, a transparent >security hole. I also recommend that checks be done on the home >directory to see that it, too, is writable only by the owner, lest >some cracker "give" you a .forward file, and suddenly you stop getting >mail without knowing why. >-- >Karl And not only check the home directory, but the one above it, and the one above that, etc.... (gee you can have such fun if some careless sysadmin leaves / world writeable). -- ------------------------------- Disclaimer: The views contained herein are | dan levy | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, allegra,ulysses,vax135}!ttrdc!levy
levy@ttrdc.UUCP (02/22/87)
In article <1519@ttrdc.UUCP>, levy@ttrdc.UUCP (I) sez: >(gee you can have such fun if some careless sysadmin >leaves / world writeable). Let me add: Kids, don't try this at home. Needless to say (but I'm saying it anyhow just so I don't get accused of inciting reckless hacking), especially if your work/schoolwork depends upon having an account upon said computer or a job from company owning said computer, you could find yourself in deep <unspeakable>. There, are ya happy. -- ------------------------------- Disclaimer: The views contained herein are | dan levy | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, allegra,ulysses,vax135}!ttrdc!levy