An analysis of in.comsatd on Solaris 2.4 >From truss this looks like the rough idea behind comsatd:- input -> usertonotify@offset chdir(/var/mail) open & read /var/adm/utmp for each entry (not necessarily active) 1 stat(/dev/entry.ut_line) if(statbuf.st_mode & S_IXUSR) if fork && child 2 if getpwuid(statbuf.st_uid)->pw_name == usertonotify setuid(targetuid) done all over the place ...but not a problem if target is root fd = open /dev/entry.ut_line, O_RDWR 3 istty = isatty(fd)) 3 close(fd) 3 if istty 3 ttyfd = open /dev/entry.ut_line, O_WRONLY|O_CREAT|O_TRUNC, 0666 write(fd, "New mail ...") stat(usertonotify) mailfd = open(usertonotify, O_RDONLY) lseek(mailfd, offset) 4 fstat(mailfd) ioctl(mailfd, TCGETA) bytesread = read(mailfd, buf, sizeof buf) 5 write(ttyfd, buf, bytesread) write(ttyfd, "- - - -") 6 utime(usertonotify, restoreaccesstime) exit Notes. 1. no check for "../" and must of course be a symlink anyway 2. inefficient doing this for every device 3. Check to see if is a device rather than a file 3. Race 3. File opened with O_CREAT, why?? 4. I suspect this is stdio rather than code checking to see if /var/mail/root isn't a symlink to /etc/shadow 5. No stripping of control codes therefore any amount of dangerous escape sequences can be sent 6. Another race if you wish to arbitrarily utime any particular file To gain root access root must be logged in somewhere with biff y. He must be no where near his terminal! Use /usr/lib/utmp_update to create a slot as root with device ../tmp/f I have a program that does this, including execing the /usr/lib/utmp_update and it works, but I leave it as an exercise for the reader. IMHO making this secure on a system with symlinks, world writeable /var/mail and arbitrarily updateable /var/adm/utmp is doomed to disaster. If you disallow comsat to root, check if any filenames contain "..", check if /var/mail/foo is not a symlink or file with more than one hard link, check that the info you write to the tty only contains printable characters you're getting closer... Cheers, Paul