Aucbvax.3138
fa.unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Tue Sep 15 13:09:58 1981
mail security and mailing to files/pipes
>From wales@UCLA-Security Tue Sep 15 10:51:17 1981
RE:  Steven Bellovin (UNC-Chapel Hill)'s comment about the security
    holes inherent in a mailer (e.g., Berkeley delivermail) which lets
    you mail to pipes or files over a network

Here at UCLA, we are running a locally written mailer (I wrote it) which
allows mailing to pipes or files a` la Berkeley delivermail.  However,
we protect ourselves by allowing people to mail to pipes or files ONLY
via aliases in the public mail alias file.

To give a trivial example, our mail alias file has a line saying:

                       nobody: /dev/null

Anyone who mails something to "nobody" will get his mail appended to
/dev/null.  But if our mailer gets a direct request to mail to /dev/null
(i.e., without going through the alias "nobody"), it gets rejected.

This is done by having our "delivermail"-like program examine each of
its arguments for the characters "/" and "|"; any destination argument
containing either of these magic characters is rejected.  This test is
NOT done, however, for the right-hand sides of alias-file lines .  Thus,
a file or program can get mailed to only if its name comes from a RHS
in the alias file.

So even though program execution and file appending by the mailer gets
done as (gasp!) root, we're still safe, because we can control exactly
which files or programs can get mailed to.  (The masses do not have
write access to the alias file, needless to say.)

As for the mail alias file, it is in /usr, and none of the users' home
directories are in the same file system, so we appear to be safe from
people who would try to mail lines to the alias file by linking it to
their own mailbox.  (However, the flurry of recent comments about mail
security have been noted out here, and we can probably tighten things
up still more.)

If Berkeley delivermail suffers from a security flaw in this respect,
they are welcome to try our solution.

-- Rich

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.