mjl@ritcv.UUCP (06/10/83)
The biggest problem with 4.1 /bin/mail is that it's both a front end and a backend to delivermail. In the former role, it should not act set-uid root as this will be inherited by delivermail, which then permits all sorts of bad things (like writing to arbitrary files). In the latter role, /bin/mail probably should be set-uid to support protection of mailboxes by the owners and controlled writing by the senders. Our local fix was to have /bin/mail do a setgid(getgid()) and setuid(getuid()) just before executing delivermail. Thus delivermail runs with the sender's permissions. When delivermail later calls /bin/mail to actually store the letter, the root permissions are reinstated and the mail can be delivered. If anyone out there sees a gaping hole that I'm missing, please let me know. Mike Lutz {allegra,seismo}!rochester!ritcv!mjl