Date: Tue, 11 Feb 1997 10:06:46 +0100 (MET) From: luc.lewy@vz.cit.alcatel.fr (Luc.LEWY) To: hackers@freebsd.org Subject: mail.local & quotas... Message-ID: <199702110906.KAA14700@bcv64s3e.vz.cit.alcatel.fr>
next in thread | raw e-mail | index | archive | help
'lo all.. Well, while looking at source code of mail.local, I found a little bug... (I'm currently using a FreeBSD 2.1.5 R) When quotas are set, mail.local could be used to overwrite these quotas.. as mail.local is setuid root... mail.local -f fill_it user1 user2 < /kernel.uu I think, we should change mail.local to: 1) fork and wait for its child to die before continue (it'll fork for each destination user, but one at a time.. ) 2) each child *must* change it's uid to the owner of the destination mailbox... This was maybe known and corrected since months, but I never see references to this... This is not really a security risk, but an entiere filesystem could be filled in this way.. (+ the 3% of the UFS since it's root who write these datas.. ) fifi... -- Guezou "fifi..." Philippe email: guezou_p@epita.fr pguezou@iway.fr luc.lewy@vz.cit.alcatel.fr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702110906.KAA14700>