[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] setuid/setgid in nmh

From: Robert Elz
Subject: Re: [Nmh-workers] setuid/setgid in nmh
Date: Mon, 03 Feb 2014 10:41:02 +0700

    Date:        Sun, 02 Feb 2014 10:58:30 -0500
    From:        David Levine <address@hidden>
    Message-ID:  <address@hidden>

  | 2) if (geteuid() == 0) setuid(pw->pw_uid);
  | This would be a security hole if the executable was setuid root
  | because the user specifies the source of the pw data.  This is
  | in slocal(1), where it would be significant, and it's for nearly
  | all of its duration.  However, slocal is not setuid, so this is
  | certainly not needed.

And it is impossible for slocal to ever be used as the mail delivery
agent (the way procmail can be, or example) - so it gets run as root, but
told which user it is to deliver the mail for ?

Doesn't bother me either way, as I have never used slocal for anything,
but I thought I should mention the posibility.

  | As far as I know, those conditions don't apply to any platform
  | that we might actively support, including:
  |     Linux, Cygwin, AIX:  use fcntl (by default)
  |     FreeBSD, OpenBSD, Mac OS X:  use flock (by default)
  |     Solaris:  has world-writable mail spool

Don't omit NetBSD from that list .... it normally also uses flock()
(that is, open(..., O_EXLOCK, ...) ) for manipulating the mail delivery
file, but also file locking as an option (I think to allow for the
possibility that the mail delivery filesystem is NFS mounted) - but
for that the delivery program is setuid, and the mail spool is world
writable (sticky).  I don't know if there is anyone who actually uses
lockfiles though.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]