$Id: INSTALL,v 1.5 1991/11/25 21:29:01 chip Exp $


                        HOW TO INSTALL DELIVER


The Makefile includes an "install" target.  Running "make install"
installs Deliver and the "header" program.

Before running "make install", be logged in as root or else su'd to
root.  Also, check that the Makefile definitions for BIN and GROUP are
acceptable.  BIN specifies the target directory for the installed
program binaries.  GROUP specifies the group that should own the
installed program binaries.

Running "make install" copies the "deliver" and "header" binaries to
the directory specified by BIN.  It also changes the group of the
installed Deliver binary to the group specified by GROUP.  Finally, it
changes the permissions on the installed Deliver binary to be setuid
to root and world-executable.

The Deliver manual page is named "deliver.8".  If this file file is
installed properly in the system man page directory, "man deliver"
will display the Deliver documentation.  However, because man page
directory structures vary widely, "make install" leaves the man page
uninstalled.

The "samples" directory contains sample delivery files.  New users of
Deliver may find them helpful.  Administrators installing Deliver for
system-wide use may want to copy the samples to a public directory and
inform the user community of their existence and location.



                WHY DELIVER IS INSTALLED SETUID ROOT,
                       AND WHY YOU SHOULD CARE


In normal operation, Deliver runs various shell scripts with the
permissions (user and group ids) of the various users who wrote them.
Normally, therefore, Deliver is installed as a setuid-root program.

As a result, no matter who runs Deliver, it executes with superuser
permissions, giving it the ability to assume any users' identity.  In
essence, Deliver has the keys to root.

For obvious reasons, it is vital for security-conscious system
administrators to take great care with setuid-root programs.

Deliver is careful -- one might even say paranoid -- about security.
Every effort has been taken to assure that no user can abuse Deliver
to get permissions that he should not have.  In particular, Deliver
takes special care that user delivery files always execute with the
same permissions that users have normally.

Nevertheless, a WARNING is appropriate: Global delivery files (system,
post-user and error) are executed as the superuser.  The problem with
superuser shell scripts (and shell scripts in general) is that command
line arguments can run other commands.  For example, suppose an evil
user at a neighbor site executes this command:

	echo gotcha | mail "yoursite!`rm importantfile`"

Further, suppose your system delivery file (for example) naively sends
mail to the address(es) requested by the sender, with this command:

	mail $*

The shell will expand that command like so:

	mail `rm importantfile`

If this happens, you're toast, because the backquotes cause the
command "rm importantfile" to be run as root.  ("Gotcha", indeed!)

This security hole can be plugged by checking command line arguments
for shell meta characters (quotes, backquotes, pipe symbols, etc.).
And that is exactly the approach that Deliver takes.  All shell
scripts executed by Deliver take addresses as their only arguments,
and Deliver carefully verifies that all addresses are free of shell
meta characters.

However, each person who writes a delivery file must be careful when
obtaining strings from other sources, such as the header or body of a
message, not to allow the contents of such strings to be executed.

Also, the error delivery file is a special case.  Its arguments are
*not* checked for shell meta characters.  This exception is by design:
the error delivery file is intended to handle all errors, including
those caused by illegal addresses.  Under no circumstances should the
parameters of an error delivery file be used in a way that might allow
their contents to be executed.

Moral: Caveat administrator.



                       NON-SETUID INSTALLATION


If running Deliver setuid-root is not possible for whatever reason,
Deliver can still be useful.  However, it will be able to execute only
the user delivery file of the user that runs it, and it will be unable
to write to any users' system mailboxes except the one belonging to
the user that runs it.
