[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with aliases to program

To: vit@takthq.lipetsk.su (Victor Gamov)
Subject: Re: Problem with aliases to program
From: Matti Aarnio <mea@nic.funet.fi>
Date: Thu, 3 Apr 1997 12:49:51 +0300 (EET DST)
Cc: rcb@press-gopher.uchicago.edu, zmailer@nic.funet.fi
In-Reply-To: <199704030745.KAA01830@takthq.lipetsk.su> from "Victor Gamov" at Apr 3, 97 11:45:39 am

> > On Tue, 1 Apr 1997, Victor Gamov wrote:
> > > 	Hi!
> > > 
> > > 	I have problem when I try send mail to user with next 
> > >     record in aliases file:
> > > 		user:	"|/usr/local/bin/myprogram"
> > > 	I've got error message: "Mail to program disallowed w/o proper
> > >     privileges".  
> > > 	Any suggestions? 
> > 
> > Yes, check the UID of the user.  If it is something in the lower range
> > (below 100 or so), try upping it.  I had this problem before and this
> > solved it for me.
> 
> 	But I want add user in aliases file without adding in passwd file.

	This looks like security problem at the aliases file.

	Verify protections of:
		$MAILVAR/db/aliases*	644 or stricter
		$MAILVAR/db		755 or stricter

	If those conditions are not met, the address expanded thru
	the  aliases  will get privilege of "nobody", which is a magic
	token to disable several security sensitive operations, like
	writing to non-mailbox files, or running pipes.

	On related note, at machines where  uid_t  is unsigned, the
	"nobody" account should NOT be with uid -2 !

	That MIGHT relate to a "easy to get a root shell" that was
	noted yesterday.
	(To know for sure, I do need more details of the setup..)

> --
> 	CU, Victor Gamov

	/Matti Aarnio <mea@nic.funet.fi>

References:
- Re: Problem with aliases to program
  - From: Victor Gamov <vit@takthq.lipetsk.su>

Prev by Date: Re: Problem with aliases to program
Next by Date: Re: SMTP transport hangs
Prev by thread: Re: Problem with aliases to program
Next by thread: April-1st snapshot available...
Index(es):
- Date
- Thread