On 26 Feb 2017 14:19 -0500, from jim(a)deitygraveyard.com (Jim Carpenter):
No problem to sent a file from your area to mine.
But you'd better not
be able to move a file into the protected systems area: only the system
manager is allowed there. Stallman's software had better make sure this can't
happen.
Gnu didn't check. It let anyone move a file into protected systems
space. The hacker knew this; we didn't.
That agrees well with my translated version.
So in a sense, everything that the Emacs movemail (thanks Tim) bug
allowed you to do was _really_ enabled by the fact that there existed
a user SOMEONE, for which ~SOMEONE was a directory, _used at least in
part for privileged purposes by the operating system_, to which
ordinary users were expected to not have any write access?
Consequently, if system (as opposed to regular user) accounts had had
a home directory set to something else, some place where it didn't
really matter if an unprivileged user was able to drop files, then
that bug would have been a nuisance (giving random users the ability
to take up disk space unaccounted for, requiring clean-up) but not
really the problem it became?
Looking at my modern Debian system, I see users in /etc/passwd with
home directories like /bin, /usr/sbin, /var/spool/postfix, /proc,
/var/run/sshd, within but not actually /etc, ... So in effect, we are
still to a large degree relying on people not making the same kind of
mistake that was made in movemail when writing code that runs suid
root. I know that anything running as suid root is potentially very
dangerous, but that seems like a trivial mitigative strategy. (When
was the last time anyone logged in as "daemon" on a modern Linux
system, let alone needed their home directory then to be /usr/sbin?)
--
Michael Kjörling •
https://michael.kjorling.se • michael(a)kjorling.se
“People who think they know everything really annoy
those of us who know we don’t.” (Bjarne Stroustrup)