Bug 12495 - Potential exploit -- /var/spool/mail g+w is proper, but causing errors
Potential exploit -- /var/spool/mail g+w is proper, but causing errors
Status: CLOSED WORKSFORME
Product: Red Hat Linux
Classification: Retired
Component: sendmail (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-18 21:08 EDT by R P Herrold
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-07-12 20:41:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description R P Herrold 2000-06-18 21:08:06 EDT
/var/spool/mail is properly g+w --- actually it should be 1777 

'user' "mail" should probably have a 'home' directory below
/var/spool/mail, to prevent these messages:

Jun 18 20:11:01 localhost sendmail[3060]: alias database /etc/aliases
autorebuilt by root
Jun 18 20:11:01 localhost sendmail[3060]: /etc/aliases: 14 aliases, longest
10
bytes, 152 bytes total
Jun 18 20:11:02 localhost sendmail[3060]: e5J0AxB03060: forward
/var/spool/mail/.forward.build: Group writable directory
Jun 18 20:11:02 localhost sendmail[3060]: e5J0AxB03060: forward
/var/spool/mail/.forward: Group writable directory              

-------------------

[root@localhost /etc]# grep mail passwd
mail:x:8:12:mail:/var/spool/mail:
mailnull:x:47:47::/var/spool/mqueue:/dev/null
[root@localhost /etc]# 

-------------------

I'd suggest that mail be given "/var/spool/mail/home" with ownership
mail.mail and permissions 700, so that it may safely rebuild the aliases
file without the exposure to a race exploit.

This may more properly affect 'filesystem' as well -- If so, perhaps we
should open a cross-reference bug there, too.

Another approach would be to all a blanket forward in /etc/aliases so that
all mail to 'mail' is sent to root.

But then, too, root's mail should also be sent to an end user account for
security's sake.  I'll submit that as an enhancement request.
Comment 1 Henri Schlereth 2000-07-12 20:40:58 EDT
sendmail-8.10.1-9 doesnt generate the permissions error anymore. The rest may still stand as feature requests.

Henri J. Schlereth
Comment 2 R P Herrold 2001-01-21 12:40:19 EST
Alan Cox has dedclined the 1777 on testers list -- the rest are not active --
close by initial requester

Note You need to log in before you can comment on or make changes to this bug.