home *** CD-ROM | disk | FTP | other *** search
- From: zen@death.corp.sun.com (d)
- Newsgroups: alt.security,comp.security.misc
- Subject: mail spool dirs [Was: COPS security report question]
- Message-ID: <ZEN.92May29140143@death.corp.sun.com>
- Date: 29 May 92 19:01:43 GMT
- References: <root.707141979@merlin> <ZEN.92May29094208@death.corp.sun.com>
- <1992May29.175751.18958@nntp.hut.fi>
- Organization: savage hackers
- In-reply-to: jkp@cs.HUT.FI's message of 29 May 92 17:57:51 GMT
-
-
- In article <1992May29.175751.18958@nntp.hut.fi> jkp@cs.HUT.FI (Jyrki Kuoppala) writes:
- In article <ZEN.92May29094208@death.corp.sun.com>, zen@death (d) writes:
- > >Warning! /usr/spool/mail is _World_ writable!
- > Probably not a problem. Esp. if a sun.
- My memory is very bad as always, but I think a world-writable
- /usr/spool/mail is a problem. Though there probably was something
- about SunOS that made it a less serious problem than on other machines.
- Or vice versa. Perhaps it was only about reading someone's mail by
- mv'ing their mail file to your mail file. If not, there is some
- in.comsat stuff you should look at - perhaps it running as root and
- making symlinks in /usr/spool/mail.
-
- I'll agree in principle on this one, but unfortunately if you chmod
- the dir, mail will often stop working. But it can be a great way to
- read people's mail or worse; if they don't currently have a mail spool
- file, something like:
-
- touch /usr/spool/mail/foo_user
- chmod 666 /usr/spool/mail/foo_user
-
- Will allow you to read/write mail as it comes in on almost all
- systems. On the really bad ones you can do something like
-
- echo "#!/bin/sh" > /usr/spool/mail/foo_user
- chmod 4777
- echo test | mail foo_user
-
- And it will will chown, but not chmod, your mail spool file. Then
- the ol' suid-shell-script-symbolic-link trick gives you a suid shell
- of the user. If it doesn't work, it will still often it will do
- assorted strange things, like not chowning the file to the rightful
- mail spool owner, etc.
-
- -- d
-
-
