mjl@ritcv.UUCP (06/10/83)
The biggest problem with 4.1 /bin/mail is that it's both a front end
and a backend to delivermail. In the former role, it should not act
set-uid root as this will be inherited by delivermail, which then
permits all sorts of bad things (like writing to arbitrary files). In
the latter role, /bin/mail probably should be set-uid to support
protection of mailboxes by the owners and controlled writing by the
senders.
Our local fix was to have /bin/mail do a setgid(getgid()) and
setuid(getuid()) just before executing delivermail. Thus delivermail
runs with the sender's permissions. When delivermail later calls
/bin/mail to actually store the letter, the root permissions are
reinstated and the mail can be delivered.
If anyone out there sees a gaping hole that I'm missing, please let me
know.
Mike Lutz {allegra,seismo}!rochester!ritcv!mjl