Date: Tue, 15 May 2001 17:00:43 -0400
From: Rich Lafferty <[email protected]>
To: [email protected]Subject: MUAs that delete spoolfiles (was Solaris /usr/bin/mailx exploit (SPARC))
On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne ([email protected]) wrote:
> >
> > (At least not if you /var/mail directory has the standard 1777 permissions)
> >
> > By forcing a file permission of 600 on mailboxes, group mail should not
> > gain you anything.
>
> Just how do you force 0600 on mailboxes which don't exist (many MUAs remove
> empty mailboxes?)
If that's true, then even *without* this particular bug in Solaris,
there's an icky denial of service attack waiting to happen. Sticky
mailspools are awfully common these days, and all that stops Bob from
doing
touch /var/spool/mail/alice
and causing the MTA to refuse to deliver is that Alice's mailbox
should never *not* be there in the first place.
Which MUAs behave in the way you describe?
> Since you cannot easily do this, at the very least a malicious user should be
> able to steal other users' mail. I think.
If they can, then *that's* a flaw in the MTA, which should never
deliver into something that isn't owned by the recipient.
-Rich
--
------------------------------ Rich Lafferty ---------------------------
Sysadmin/Programmer, Instructional and Information Technology Services
Concordia University, Montreal, QC (514) 848-7625
------------------------- [email protected] ----------------------
