Here's the scenario, as I understand it:
The attacker can't modify the symlink in /etc because that directory is not owned or writable by the attacker. The attacker can make a hard link1, though, and that's where the hole is.
To my eyes, the real problem is that it's possible to deliver mail for user $FOO to a file that user $FOO doesn't have write permission on. If you're reading mail via a local mail spool, and the user has control over where it's written, it seems as though some setfsuid is in order when writing it?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds