I was debugging a new procmail rule and noticed some strange information
in the logfile. It ended up to be mkdir complaining that it could not
create a directory because it existed. I found out that this was coming
from a user's .cshrc file that had something like:
if ( ! -r /home/user/TMPDIR ) then
mkdir /home/user/TMPDIR
endif
The TMPDIR was there but it was with mode 0700 and owned by the user, so
it was not readable by other users, so if another user was trying to
execute the .cshrc file it would attempt to execute the mkdir command.
The problem is this. Why is a user's .cshrc file being executed by
another user?
I put some debugging info in my account and found this:
New shell invocation: PID=18443: id=<<uid=0(root) gid=6(mail)>>
UID PID PPID C STIME TTY TIME CMD
root 18440 1 0 15:01:52 ? 0:00 /usr/lib/sendmail -bd -q15m
root 18441 18440 0 15:01:52 ? 0:00 procmail -f somebodyelse@xxxxxxxxxxx -Y -a -d mbarnes
root 18442 18441 0 15:01:52 ? 0:00 procmail -f somebodyelse@xxxxxxxxxxx -Y -a -d mbarnes
root 18443 18442 0 15:01:52 ? 0:00 /bin/zsh -c echo $ORGMAIL | sed s,$MAILDIR/,,
mbarnes is me. The procmail command that invoked the shell as root but
sourced my shell's dotfiles was this:
DEST_USER=`echo $ORGMAIL | sed s,$MAILDIR/,,`
The invocation of procmail is via sendmail.cf and it is called by:
Mlocal, P=/usr/local/bin/procmail, F=ESAw5:|/@glDFMPhsfn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d $u
Note the the '$h' appears to be an empty string or nonexstant
alltogether, I havn't gotten any further at this time.
I am by no means a sendmail or procmail expert, and I simply may have
something misconfigured on my system, but at this time, at least for me,
this is a local root exploit.
Any comments?
Mike
--
/-----------------------------------------\
| Michael Barnes <mbarnes@xxxxxxxxxxxxxx> |
| UNIX Systems Administrator |
| College of William and Mary |
| Phone: (757) 879-3930 |
\-----------------------------------------/
