> > I was called for help on a breakin attempt that appeared to be using > the local mail delivery agent race on SunOS. In response, I wrote the > following. It appears to me to be fairly tight, but I'd appreciate any > flaws anyone can pick with it. (It does have some problems, notably > lack of checking for malloc() failure and disk full errors. I'm > talking about specifically security holes.) > > In return, I offer this to anyone who may care to use it. (Of course, > it comes with no warranty; it's free, and you get what you pay for.) > Unpack into a directory somewhere and compile with > "cc -I. -o localmail *.c" or something equivalent. (You will need to > use a prototype-capable compiler. NeXTstep 2.1 /bin/cc works, as does > gcc 2.6.3 under SunOS 4.1.3, provided you link with something that > provides strerror().) > > der Mouse > > mouse@collatz.mcrcim.mcgill.edu > I had a quick look at your code (although you're tab key appears to be broken, and your space bar is intermitent ;-), main() doesnt look too clever:- { FILE *f; int i; i = open("/tmp/localmail.log",O_WRONLY|O_APPEND); if (i >= 0) { f = fdopen(i,"a"); fprintf(f,"[%d] uid=%d euid=%d ac=%d\n",getpid(),getuid(),geteuid(),ac); for (i=0;av[i];i++) { fprintf(f,"\t%s\n",av[i]); } fclose(f); } I presume you either intend to make localmail suid root, or have sendmail set[ug]id for you, which makes the above potentially dodgy. Also your mkstemp() replacement is pure overkill. Recommended code for binmail, with every known problem fixed, can be found in:- CERT advisory CA-95:02.binmail.vulnerabilities and I would personally recommend it. Cheers, Neil -- Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way, M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl. ...like a badger with an afro throwing sparklers at the Pope...