[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Netscape Mail & /var/spool/mail permissions

> > Second, do _not_ change the permissions of /var/spool/mail.  The permissions
> > that Netscape suggests introduce a small security hole where one user could
> > potentially gain complete access to another's mail.  (It's small, but true.)
> > The permissions in the Debian system are correct.
> What is the nature of this hole?

The problem happens like this...

 - root adds world write permissions to /var/spool/mail
 - cracker creates file /var/spool/mail/fred with public read/write
 - new user "fred" is created
 - cracker and fred (and rest of the world) can read/write fred's mail.

Networks and NIS could create users on machines where the user doesn't
actually have a home directory, but to which mail could be specifically
directed, thus giving the hacker a free and largely untraceable mail

There is the additional problem that anyone could also create all
the files and directories they want under /var/spool/mail.

> I've run into *ix variants that don't need 1777 mail spools before, but
> I've never heard of it being a security hole to make their spool 1777.
> Debian uses sendmail V8, no?  Is it using an oddball delivery agent or
> something?

This would affect all systems as far as I can tell.

                               ( bcwhite@verisim.com )

    In theory, theory and practice are the same.  In practice, they're not.

Reply to: