From travis@borneo.evtech.com Wed Jul 3 05:11:03 1996 Received: from midway.evtech.com (midway.evtech.com [204.96.163.2]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id FAA08903 for ; Wed, 3 Jul 1996 05:10:57 +1000 Received: from tahiti.evtech.com (tahiti.evtech.com [192.35.179.19]) by midway.evtech.com (8.7.3/8.6.9) with ESMTP id OAA27086; Tue, 2 Jul 1996 14:10:33 -0500 (CDT) Received: from borneo.evtech.com (borneo.evtech.com [192.35.179.29]) by tahiti.evtech.com (8.6.12/8.6.12) with ESMTP id OAA08549; Tue, 2 Jul 1996 14:10:30 -0500 Message-Id: <199607021910.OAA08549@tahiti.evtech.com> To: Bugtraq List cc: travis@EvTech.com, best-of-security@suburbia.net Subject: Re: BoS: Re: Solaris mailx hole In-reply-to: Your message of "Tue, 02 Jul 1996 01:08:49 EDT." Date: Tue, 02 Jul 1996 14:10:28 -0500 From: Travis Hassloch x231 In message you write : > echo "localhost $USER" | /bin/mail $TARGET This line should be preceeded somewhere in the script by a line which sets $USER: USER=`whoami` > 2. We have considered several potential workarounds for this > vulnerability. The ideal fix would be to remove global write > access to the mail spool directory. However, this is not > possible as programs such as /bin/mail, /usr/ucb/Mail and > elm require everyone to have write access. Also it is not or to be sgid-mail. > possible to, for example, change the group ownership of > /var/spool/mail to mail and give /bin/mail and /usr/ucb/Mail > setgid mail privilege, as they do not reset their group id > before forking a shell. Unless you have sources and can fix them. > i. Ensure that every user maintains a mailbox file. The > following program will create a mailbox for every user > on the system, if one does not currently exist. Would it also suffice to have an alias for each such user?