Date: Sun, 02 Feb 2014 10:58:30 -0500 From: David Levine <levin...@acm.org> Message-ID: <21266-1391356710.058...@pwcr.arvw.l24H>
| 2) if (geteuid() == 0) setuid(pw->pw_uid); | | This would be a security hole if the executable was setuid root | because the user specifies the source of the pw data. This is | in slocal(1), where it would be significant, and it's for nearly | all of its duration. However, slocal is not setuid, so this is | certainly not needed. And it is impossible for slocal to ever be used as the mail delivery agent (the way procmail can be, or example) - so it gets run as root, but told which user it is to deliver the mail for ? Doesn't bother me either way, as I have never used slocal for anything, but I thought I should mention the posibility. | As far as I know, those conditions don't apply to any platform | that we might actively support, including: | Linux, Cygwin, AIX: use fcntl (by default) | FreeBSD, OpenBSD, Mac OS X: use flock (by default) | Solaris: has world-writable mail spool Don't omit NetBSD from that list .... it normally also uses flock() (that is, open(..., O_EXLOCK, ...) ) for manipulating the mail delivery file, but also file locking as an option (I think to allow for the possibility that the mail delivery filesystem is NFS mounted) - but for that the delivery program is setuid, and the mail spool is world writable (sticky). I don't know if there is anyone who actually uses lockfiles though. kre _______________________________________________ Nmh-workers mailing list Nmh-workers@nongnu.org https://lists.nongnu.org/mailman/listinfo/nmh-workers