On Mon, 2004-06-28 at 14:12, Olga wrote:
Well, you can either take Red Hat point of view or the University of Washington. You can leave the permissions the way they are, but you will have those messages in the log. If they don't bother you that's ok, but they bugged me. On one test box I also tried installing an older version of imap over the top and that solved the problem for me as well. I didn't have to change permission and there were no messages.
Probably the one giving the messages came from some source other than RedHat, and did not have their patches applied. The age of the package would not really be a factor, since the ones from redhat were patched and the ones from other sources were not.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
The bug has already been reported:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
Thanks! This is very useful! What do you think about the comment in the report page, especailly the 3rd paragraph:
Additional Comment #3 From Mike A. Harris on 2004-02-27 04:58 -------
This warning message from UW imap is 100% bogus. Red Hat does not use the same locking mechanism that is recommended by the UW imap people, because it is inherently more insecure.
All software on the system which accesses the mail spool files must agree upon a common locking mechanism, and must be patched if necessary to all use one single mechanism. Red Hat has been using the same mechanism in all OS releases for many years now, and we have patched UW imap, and UW pine to use our system-wide mechanism for some time now.
UW suggests that the mail spool directory should be mode 1777, which is incredibly insane, as that makes the mail spool directory *world writeable*, and thus subject to local DOS attacks. That is totally unacceptable in a modern Linux/UNIX OS.
The proper fix for this bug, is to patch the UW imap sources to remove this bogus warning/error message, because we do not use the insecure method that UW recommends for mail locking. Doing otherwise, would require patching every single MTA, MDA, and MUA in the entire distribution to do it the ensecure world-writeable way, and we decided a very long time ago that that was not acceptable.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging Program.