$Id: INSTALL,v 1.5 1991/11/25 21:29:01 chip Exp $ HOW TO INSTALL DELIVER The Makefile includes an "install" target. Running "make install" installs Deliver and the "header" program. Before running "make install", be logged in as root or else su'd to root. Also, check that the Makefile definitions for BIN and GROUP are acceptable. BIN specifies the target directory for the installed program binaries. GROUP specifies the group that should own the installed program binaries. Running "make install" copies the "deliver" and "header" binaries to the directory specified by BIN. It also changes the group of the installed Deliver binary to the group specified by GROUP. Finally, it changes the permissions on the installed Deliver binary to be setuid to root and world-executable. The Deliver manual page is named "deliver.8". If this file file is installed properly in the system man page directory, "man deliver" will display the Deliver documentation. However, because man page directory structures vary widely, "make install" leaves the man page uninstalled. The "samples" directory contains sample delivery files. New users of Deliver may find them helpful. Administrators installing Deliver for system-wide use may want to copy the samples to a public directory and inform the user community of their existence and location. WHY DELIVER IS INSTALLED SETUID ROOT, AND WHY YOU SHOULD CARE In normal operation, Deliver runs various shell scripts with the permissions (user and group ids) of the various users who wrote them. Normally, therefore, Deliver is installed as a setuid-root program. As a result, no matter who runs Deliver, it executes with superuser permissions, giving it the ability to assume any users' identity. In essence, Deliver has the keys to root. For obvious reasons, it is vital for security-conscious system administrators to take great care with setuid-root programs. Deliver is careful -- one might even say paranoid -- about security. Every effort has been taken to assure that no user can abuse Deliver to get permissions that he should not have. In particular, Deliver takes special care that user delivery files always execute with the same permissions that users have normally. Nevertheless, a WARNING is appropriate: Global delivery files (system, post-user and error) are executed as the superuser. The problem with superuser shell scripts (and shell scripts in general) is that command line arguments can run other commands. For example, suppose an evil user at a neighbor site executes this command: echo gotcha | mail "yoursite!`rm importantfile`" Further, suppose your system delivery file (for example) naively sends mail to the address(es) requested by the sender, with this command: mail $* The shell will expand that command like so: mail `rm importantfile` If this happens, you're toast, because the backquotes cause the command "rm importantfile" to be run as root. ("Gotcha", indeed!) This security hole can be plugged by checking command line arguments for shell meta characters (quotes, backquotes, pipe symbols, etc.). And that is exactly the approach that Deliver takes. All shell scripts executed by Deliver take addresses as their only arguments, and Deliver carefully verifies that all addresses are free of shell meta characters. However, each person who writes a delivery file must be careful when obtaining strings from other sources, such as the header or body of a message, not to allow the contents of such strings to be executed. Also, the error delivery file is a special case. Its arguments are *not* checked for shell meta characters. This exception is by design: the error delivery file is intended to handle all errors, including those caused by illegal addresses. Under no circumstances should the parameters of an error delivery file be used in a way that might allow their contents to be executed. Moral: Caveat administrator. NON-SETUID INSTALLATION If running Deliver setuid-root is not possible for whatever reason, Deliver can still be useful. However, it will be able to execute only the user delivery file of the user that runs it, and it will be unable to write to any users' system mailboxes except the one belonging to the user that runs it.