Aucbvax.3009 fa.unix-wizards utzoo!decvax!ucbvax!unix-wizards Tue Sep 8 11:22:44 1981 /usr/spool/mail, setuid/setgid bits, a meta-comment, and more. >From IngVAX.eric@Berkeley Tue Sep 8 11:13:57 1981 First of all, as a UNIX hacker for about many years now, having worked with versions 4, 5, 6, 7, 32V, 1BSD, 2BSD, 3BSD, 2.8BSD, 4BSD, 4.1BSD, PWB1.0, and a few others, I feel that clearing the setuid and setgid bits when the inode is touched is appropriate, and that this belongs in the kernel. Why is this any worse than the chown syscall being disabled for the original owner of a file (you used to be able to give away files), disabled in version 6 so as not to "defeat the (nonexistent) file-space accounting procedures"? The set?id bits are powerful, and this is an appropriate security measure. However, you can break into su without using the setuid bits, and without having /etc and /usr/spool/mail on the same device; in fact, without using any fancy features at all. However, I feel that it is inappropriate for me to send the technique to a mailing list of this huge distribution, given the number of systems that have this problem -- however I am willing to send individual explanations to responsible system gurus (i.e., real UNIX wizards). By the way, I obviously agree with the argument that this list has been too widely distributed -- there are things (such as this) which should not get wide distribution -- and I believe that in the initial days of this list, that was intended to be a goal. Too bad..... Finally, you can configure Berkeley "Mail" quite trivially to truncate rather than unlink the mail file. eric ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.