flee@shire.cs.psu.edu (Felix Lee) (04/29/89)
In article <28952@ucbvax.BERKELEY.EDU>,
Jim Haynes <haynes@ucscc.ucsc.EDU> describes
a problem similar to something I've found recently.
Our Sendmail under SunOS 4.0 will apparently run "|program" recipients
with arbitrary uids. I've been unable to duplicate this with Sendmail
5.59 running on a Vax, but this may be a vagary of configuration.
My .forward file currently includes "|cookie", where "cookie" is a
script that just records the id that it's run by. So far I have about
a dozen different cookies, mostly from local users who have sent me
mail, several from daemon, and a few from local users who have not
sent me mail.
Watching the mail queue, mail to me gets expanded to my mailbox and
"|cookie"; the message gets dropped in my mailbox, and "|cookie" gets
queued. The control file for the "|cookie" delivery doesn't keep the
recipient id; something arbitrary (like the sender, or the recipient
of the previous message) is used when the queue gets run. I leave it
to sendmail experts to delve the internal state that controls this.
(The original "|cookie" was intended to be a harmless prank on someone
whose .forward file was writable by other. It was something like
grep -s "Cookie" || (fortune | mail -s "Cookie" `whoami`)
but then, random people started getting cookies..)
--
Felix Lee flee@shire.cs.psu.edu *!psuvax1!shire!fleehaynes@ucbarpa.Berkeley.EDU (Jim Haynes) (04/30/89)
In article <FLEE.89Apr28231830@shire.cs.psu.edu> flee@shire.cs.psu.edu (Felix Lee) writes: > >Our Sendmail under SunOS 4.0 will apparently run "|program" recipients >with arbitrary uids. I've been unable to duplicate this with Sendmail >5.59 running on a Vax, but this may be a vagary of configuration. > Hmmm, one thing in common between your Sun and our ISI is that they are MC68000 machines (or is your Sun a Sun4?) and hence have the opposite byte order to VAXen. Another fact I should have mentioned is that our ISI machine tends to be very heavily loaded much of the time. So maybe there's something in there that is unwittingly sensitive to byte order; or maybe it depends on some bug that is more probable when the system is heavily loaded. haynes@ucscc.ucsc.edu haynes@ucscc.bitnet ...ucbvax!ucscc!haynes "Any clod can have the facts, but having opinions is an Art." Charles McCabe, San Francisco Chronicle
flee@shire.cs.psu.edu (Felix Lee) (05/01/89)
In article <28974@ucbvax.BERKELEY.EDU>, haynes@ucbarpa.Berkeley.EDU (Jim Haynes) writes: >or maybe it depends on some bug that is more probable when the system is >heavily loaded. Our Sun4 is hardly ever heavily loaded. It may be that when your machine is heavily loaded sendmail queues "|program" recipients, as our Sun does. "|program" recipients in the queue lose the original recipient information, and thus get run by arbitrary uids. Tomorrow I will try to tweak sendmail on our Vax to reproduce the problem. -- Felix Lee flee@shire.cs.psu.edu *!psuvax1!shire!flee