Date: Sun, 02 Feb 2014 10:58:30 -0500
From: David Levine <levinedl(_at_)acm(_dot_)org>
Message-ID: <21266-1391356710(_dot_)058345(_at_)PWCR(_dot_)aRvw.l24H>
| 2) if (geteuid() == 0) setuid(pw->pw_uid);
|
| This would be a security hole if the executable was setuid root
| because the user specifies the source of the pw data. This is
| in slocal(1), where it would be significant, and it's for nearly
| all of its duration. However, slocal is not setuid, so this is
| certainly not needed.
And it is impossible for slocal to ever be used as the mail delivery
agent (the way procmail can be, or example) - so it gets run as root, but
told which user it is to deliver the mail for ?
Doesn't bother me either way, as I have never used slocal for anything,
but I thought I should mention the posibility.
| As far as I know, those conditions don't apply to any platform
| that we might actively support, including:
| Linux, Cygwin, AIX: use fcntl (by default)
| FreeBSD, OpenBSD, Mac OS X: use flock (by default)
| Solaris: has world-writable mail spool
Don't omit NetBSD from that list .... it normally also uses flock()
(that is, open(..., O_EXLOCK, ...) ) for manipulating the mail delivery
file, but also file locking as an option (I think to allow for the
possibility that the mail delivery filesystem is NFS mounted) - but
for that the delivery program is setuid, and the mail spool is world
writable (sticky). I don't know if there is anyone who actually uses
lockfiles though.
kre
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
https://lists.nongnu.org/mailman/listinfo/nmh-workers