wessels@uthub.UUCP (Ron Wessels) (03/09/84)
>> Oh, good grief. Don't make /usr/spool/mail publicly writable: >> >> $ mv /usr/spool/mail/me /usr/spool/mail/me.keep >> $ mv /usr/spool/mail/you /usr/spool/mail/me >> $ mail ... > Better than that, you can use 'mail -u user'. An undocumented (I think) > Berkeley mail option. This lets you pretend that you are that user, and > play with the mail however you want. The only real problem is that it > writes undeleted read mail into your mbox rather than his. I have often > thought that it is a pretty silly option to have... On 4.xBSD systems, reading other people's mail is the least of your worries with a writable /usr/spool/mail. With the proper abuse, any user can obtain a root shell. [ No, I'm not going to give the method for obvious reasons, but it's not hard to figure out ]. [ By the way, "mail -u user" DOES have a use. /usr/ucb/mail apparently gets the user name from a getlogin() call. Thus, if you log in as A and su to B, a simple "mail" will attempt to read A's mailbox, which, of course, is read-protected from B. You have to do a "mail -u B". ] Simply changing the protection of /usr/spool/mail breaks the mail locking system, as several people have previously pointed out. However, unlike those who have moved the lock files to /tmp (or wherever), we have come up with a simple fix to /bin/mail that allows /usr/spool/mail to be 755 and still have the mail locking work. The diffs follow (the line numbers may be off by a couple because of various SCCS and RSC id strings). *************** *** 124,130 char *p, *getarg(); struct stat statb; - setuid(getuid()); cat(mailfile, maildir, my_name); if (stat(mailfile, &statb) >= 0 && (statb.st_mode & S_IFMT) == S_IFDIR) { --- 126,131 ----- char *p, *getarg(); struct stat statb; cat(mailfile, maildir, my_name); if (stat(mailfile, &statb) >= 0 && (statb.st_mode & S_IFMT) == S_IFDIR) { *************** *** 155,160 } else break; } malf = fopen(mailfile, "r"); if (malf == NULL) { fprintf(stdout, "No mail.\n"); --- 156,165 ----- } else break; } + if (access(mailfile,4) < 0) { + fprintf(stdout, "No mail.\n"); + return; + } malf = fopen(mailfile, "r"); if (malf == NULL) { fprintf(stdout, "No mail.\n"); *************** *** 165,170 fclose(malf); fclose(tmpf); unlock(); tmpf = fopen(lettmp, "r"); changed = 0; --- 170,176 ----- fclose(malf); fclose(tmpf); unlock(); + setuid(getuid()); tmpf = fopen(lettmp, "r"); changed = 0; --------------------------------------------------------------------------- While I'm at it, I'll also post the diffs to change the temp file to be owned by the user, rather than root. This way, people with restrictive umask's can also read mail. *************** *** 84,89 for (i=SIGHUP; i<=SIGTERM; i++) setsig(i, delete); tmpf = fopen(lettmp, "w"); if (tmpf == NULL) { fprintf(stderr, "mail: cannot open %s for writing\n", lettmp); done(); --- 85,91 ----- for (i=SIGHUP; i<=SIGTERM; i++) setsig(i, delete); tmpf = fopen(lettmp, "w"); + chown(lettmp, getuid(), getgid()); if (tmpf == NULL) { fprintf(stderr, "mail: cannot open %s for writing\n", lettmp); done(); ----------------------------------------------------------------------------- These fixes have been installed on several systems here at U. of T. for quite some time with no problems. Hope this helps. -- Ron Wessels Computer Systems Research Group University of Toronto { decvax , floyd , ihnp4 , linus , utzoo , uw-beaver }!utcsrgv!uthub!wessels
phil@amd70.UUCP (Phil Ngai) (03/26/84)
This has probably been pointed out before but I just learned it... Ron Wessels proposes to make /usr/spool/mail 755 and keep the lock files in there. This probably works fine under straight V7 but we run V7 with Berkeley enhancements like /usr/ucb/Mail and it is necessary for `Mail' to write /usr/spool/mail when putting back mail that is either unread or preserved. Therefore both /usr/ucb/Mail and /bin/mail need to observe the same locking protocol. The way I see it, you can either move the locks to /tmp or leave /usr/spool/mail 777. I chose the former. -- Phil Ngai (408) 988-7777 {ucbvax,decwrl,ihnp4,allegra,intelca}!amd70!phil