https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820570#M741141 The file /etc/mail/aliases and .forward have similar capabilities. The .forward file itself does not execute but it may contain directives such as: pipe mail to this script, and is exactly how you can filter or process email automatically as it is received. It's not exactly a backdoor since /etc/mail/aliases is owned by root and not writable by ordinary users. A user can place a .forward in their $HOME directory but the script will only run if the delivery process can run the script or program. This is likely where a security scan would be centered:<BR /> <BR />ll /home/*/.forward<BR /> <BR />If you grep for the | (pipe) symbol in aliases and .forward files, you will see any automated mail handling. Also look for procmail as another way to handle incoming email. Mon, 10 Jul 2006 15:09:49 GMT Bill Hassell 2006-07-10T15:09:49Z https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820567#M741138 Working on a security cleanup assignment. Heard mention that the UNIX .forward file can be used to execute code, acting like a back door. Does anyone know if this applies to HP-UX? Mon, 10 Jul 2006 09:56:43 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820567#M741138 Daniel M. Gonzales 2006-07-10T09:56:43Z https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820568#M741139 Shalom,<BR /><BR />It does not execute code.<BR /><BR />It can forward a users mail from his/her home directory to anywhere and can be used maliciously to relay spam. It should have tight permissions on it if it exists at all.<BR /><BR />It certainly should not have execute rights, or it could be modified to be a shell script that does execute code.<BR /><BR />It is much better to handle sendmail forwarding in the /etc/aliases file or in virtusertables genericstables which are controlled and owned by root.<BR /><BR />SEP Mon, 10 Jul 2006 09:58:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820568#M741139 Steven E. Protter 2006-07-10T09:58:59Z https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820569#M741140 Hi Daniel:<BR /><BR />The potential relates to the '.forward' file for UNIX in general.<BR /><BR />Regards!<BR /><BR />...JRF... Mon, 10 Jul 2006 09:59:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820569#M741140 James R. Ferguson 2006-07-10T09:59:59Z https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820570#M741141 The file /etc/mail/aliases and .forward have similar capabilities. The .forward file itself does not execute but it may contain directives such as: pipe mail to this script, and is exactly how you can filter or process email automatically as it is received. It's not exactly a backdoor since /etc/mail/aliases is owned by root and not writable by ordinary users. A user can place a .forward in their $HOME directory but the script will only run if the delivery process can run the script or program. This is likely where a security scan would be centered:<BR /> <BR />ll /home/*/.forward<BR /> <BR />If you grep for the | (pipe) symbol in aliases and .forward files, you will see any automated mail handling. Also look for procmail as another way to handle incoming email. Mon, 10 Jul 2006 15:09:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820570#M741141 Bill Hassell 2006-07-10T15:09:49Z https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820571#M741142 yes. you can use .forward to invoke commands via pipes. once encountered a user which use this future to invoke backdoor by sending mail with a triggering word. Fri, 14 Jul 2006 08:08:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-forward-execute-code/m-p/3820571#M741142 Ron Cohen 2006-07-14T08:08:49Z