I reviewed the code of comsat (/usr/src/libexec/comsat/comsat.c). There are two potential problems in function jkfprintf(): [...] /* Set effective uid to user in case mail drop is on nfs */ if ((p = getpwnam(user)) != NULL) (void) setuid(p->pw_uid); [...] 1) If getpwnam() fails the function is continued without dropping privileges. 2) The return value of setuid() is not checked. The manual page says that setuid() could only fail for non-root. Anyway, it's no good style to ignore the result of setuid(). Fix: getpwnam problem: I suggest to return function jkfprintf() if getpwnam() fails. setuid problem: I suggest to return function jkfprintf() if getpwnam() fails and if getuid() returns 0 (root). The check for user root may not be necessary since normal users can not really switch the uid with setuid() if the program is not installed with set-uid (as far as I know). I could help with a patch and with testing. How-To-Repeat: Faked comsat requests could be generated with "nc" (netcat). A "bad" user could send non-existing user names (getpwnam() will fail and setuid() will not be called). He could also send file names which should not be readable by the user with receives the biff messages. netcat could be used this way (tested with netcat from ports collection): $ /usr/local/bin/nc -u localhost 512 user@0:/some/file Control-c (Mail for "user", offset byte 0, mailbox "/some/file")
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped