From: zen@death.corp.sun.com (d) Newsgroups: alt.security,comp.security.misc Subject: mail spool dirs [Was: COPS security report question] Message-ID: Date: 29 May 92 19:01:43 GMT References: <1992May29.175751.18958@nntp.hut.fi> Organization: savage hackers In-reply-to: jkp@cs.HUT.FI's message of 29 May 92 17:57:51 GMT In article <1992May29.175751.18958@nntp.hut.fi> jkp@cs.HUT.FI (Jyrki Kuoppala) writes: In article , zen@death (d) writes: > >Warning! /usr/spool/mail is _World_ writable! > Probably not a problem. Esp. if a sun. My memory is very bad as always, but I think a world-writable /usr/spool/mail is a problem. Though there probably was something about SunOS that made it a less serious problem than on other machines. Or vice versa. Perhaps it was only about reading someone's mail by mv'ing their mail file to your mail file. If not, there is some in.comsat stuff you should look at - perhaps it running as root and making symlinks in /usr/spool/mail. I'll agree in principle on this one, but unfortunately if you chmod the dir, mail will often stop working. But it can be a great way to read people's mail or worse; if they don't currently have a mail spool file, something like: touch /usr/spool/mail/foo_user chmod 666 /usr/spool/mail/foo_user Will allow you to read/write mail as it comes in on almost all systems. On the really bad ones you can do something like echo "#!/bin/sh" > /usr/spool/mail/foo_user chmod 4777 echo test | mail foo_user And it will will chown, but not chmod, your mail spool file. Then the ol' suid-shell-script-symbolic-link trick gives you a suid shell of the user. If it doesn't work, it will still often it will do assorted strange things, like not chowning the file to the rightful mail spool owner, etc. -- d