lenny@icus.UUCP (Lenny Tropiano) (12/04/87)
In article <9300036@bradley>, brad@bradley.UUCP writes: > > /* Written 2:07 am Nov 24, 1987 by lenny@icus.UUCP in bradley:comp.sys.att */ > >>This is a problem with the system manager (smgr) which controls the > >>MAIL ICON at the top of the screen. If you save your mail after clicking > >>on the icon, it indeed goes in /etc/lddrv/mbox, this is a *BUG* not > >>a system problem. A while back I reported doing a "shell" escape "!" from > >>inside mail from the icon, will give your root access. This is a pretty > >>bad security flaw, since smgr runs as a root process. This can be > >>fixed I believe by renaming "/bin/mail" with "/bin/lmail" and writing > >>a short program that will do a: > >> > >> setuid(getuid()); > >> setgid(getgid()); > >> > >>and then exec "/bin/lmail". > This doesn't work as smgr runs as root. What I do is look at /etc/utmp (or > is it /etc/wtmp) and find out who is logged into /dev/w1, then using the > login name look up the uid in /etc/passwd and use this. Multiple gettys > will read the mail of who every is logged into /dev/w1 (note that /dev/tty??? > doesn't have this happen to it). Sorry about that... I never tested my assumptions, but here's a VALID SOLUTION to the problem. Substitute your favorite mail program (ie. MAILX, ELM, etc..) for the PROGNAME, PROGPATH preprocessor defines. ---- CUT HERE ---- ---- CUT HERE ---- ---- CUT HERE ---- ---- CUT HERE ---- /**************************************************************************** * Program: email.c - Fix the security flaw in the UNIX pc <MAIL> icon * * * * Author: Lenny Tropiano UUCP: ...icus!lenny * * (c)1987 ICUS Computer Group * * * * This program is public domain and may be distributed without author's * * consent. * * * * WARNING: DO NOT USE IF YOU HAVE THE AT&T ELECTRONIC MAIL PACKAGE * * INSTALLED -- this will *OVERWRITE* /usr/bin/email * * * * Compiling instructions: * * * * # cc -c -O -DPROGPATH=\"/usr/bin/elm\" -DPROGNAME=\"elm\" email.c * * # ld -s email.o /lib/crt0s.o /lib/shlib.ifile -o /usr/bin/email * * * * Logout and login again to tell the System Manager /etc/smgr * * that when you press the MAIL ICON, to check /usr/bin/email first. * * * ****************************************************************************/ #include <stdio.h> #include <pwd.h> extern char **environ; main(argc,argv) int argc; char *argv[]; { /* email is exec'd from smgr with /usr/bin/email -i -u <user> */ struct passwd *pswd, *getpwnam(); char arg[30], home[30], shell[30], mail[30]; if (argv[1] == NULL) exit(1); setpwent(); if ((pswd = getpwnam(argv[3])) == NULL) exit(1); setgid(pswd->pw_gid); setuid(pswd->pw_uid); putenv("PATH=:/bin:/usr/bin:/usr/lbin:"); sprintf(home,"HOME=%s",pswd->pw_dir); chdir(pswd->pw_dir); putenv(home); sprintf(shell,"SHELL=%s",pswd->pw_shell); putenv(shell); putenv("TERM=s4"); sprintf(mail,"MAIL=/usr/mail/%s",pswd->pw_name); putenv(mail); endpwent(); execle(PROGPATH,PROGNAME,0,environ); execle("/bin/mail",0,environ); perror("exec() failed"); exit(1); } ---- CUT HERE TOO ---- ---- CUT HERE TOO ---- ---- CUT HERE TOO ---- ---- -- ============================ US MAIL: Lenny Tropiano, ICUS Computer Group IIIII CCC U U SSSS PO Box 1 I C C U U S Islip Terrace, New York 11752 I C U U SSS PHONE: (516) 968-8576 [H] (516) 582-5525 [W] I C C U U S AT&T MAIL: ...attmail!icus!lenny TELEX: 154232428 IIIII CCC UUU SSSS UUCP: ============================ ...{uunet!godfre, mtune!quincy}!\ ...{ihnp4, boulder, harvard!talcott, skeeve, ptsfa}! >icus!lenny "Usenet the final frontier" ...{cmcl2!phri, hoptoad}!dasys1!/