[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] setuid/setgid in nmh
From: |
Robert Elz |
Subject: |
Re: [Nmh-workers] setuid/setgid in nmh |
Date: |
Mon, 03 Feb 2014 10:41:02 +0700 |
Date: Sun, 02 Feb 2014 10:58:30 -0500
From: David Levine <address@hidden>
Message-ID: <address@hidden>
| 2) if (geteuid() == 0) setuid(pw->pw_uid);
|
| This would be a security hole if the executable was setuid root
| because the user specifies the source of the pw data. This is
| in slocal(1), where it would be significant, and it's for nearly
| all of its duration. However, slocal is not setuid, so this is
| certainly not needed.
And it is impossible for slocal to ever be used as the mail delivery
agent (the way procmail can be, or example) - so it gets run as root, but
told which user it is to deliver the mail for ?
Doesn't bother me either way, as I have never used slocal for anything,
but I thought I should mention the posibility.
| As far as I know, those conditions don't apply to any platform
| that we might actively support, including:
| Linux, Cygwin, AIX: use fcntl (by default)
| FreeBSD, OpenBSD, Mac OS X: use flock (by default)
| Solaris: has world-writable mail spool
Don't omit NetBSD from that list .... it normally also uses flock()
(that is, open(..., O_EXLOCK, ...) ) for manipulating the mail delivery
file, but also file locking as an option (I think to allow for the
possibility that the mail delivery filesystem is NFS mounted) - but
for that the delivery program is setuid, and the mail spool is world
writable (sticky). I don't know if there is anyone who actually uses
lockfiles though.
kre