Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43 /var/spool/mail # ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct. What is wrong? Do I need to change the permission on the mail directory? if yes, change it to what?
Thanks!
Hongwei
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43 /var/spool/mail # ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct. What is wrong? Do I need to change the permission on the mail directory? if yes, change it to what?
Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Am Mo, den 28.06.2004 schrieb Olga um 16:04:
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
No, the default permissions are proper!
Hongwei, we had exactly that topic on Thursday last week and I explained it to you. So what did you change and how do you use mail? Which pine (source or packager and version) do you use? How else do users read mail? Are the log entries caused by users using pine and a different mail client same time?
Alexander
Thanks! But my rh7.3 box has
# ls -ld /var/spool/mail/ drwxr-xr-x 2 root root 4096 Jun 28 08:00 /var/spool/mail/
but never shows any warning message. Is it because rh7.3 is too old?
Also, should it be drwxrwxrwt or drwxrwxr-t? should it be
drwxrwxrwt root mail
or
drwxrwxrwt root root?
Thanks!
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43 /var/spool/mail # ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct. What is wrong? Do I need to change the permission on the mail directory? if yes, change it to what?
Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Alexander Dalloz writes:
No, the default permissions are proper!
Hongwei, we had exactly that topic on Thursday last week and I explained it to you. So what did you change and how do you use mail? Which pine (source or packager and version) do you use? How else do users read mail? Are the log entries caused by users using pine and a different mail client same time?
The error message is pine's poor way of saying that it can't lock the mailbox. With permissions of 775 pine can't create the mbox.lock file that it REALLY wants to create.
Am Mo, den 28.06.2004 schrieb Hongwei Li um 16:18:
Thanks! But my rh7.3 box has
# ls -ld /var/spool/mail/ drwxr-xr-x 2 root root 4096 Jun 28 08:00 /var/spool/mail/
but never shows any warning message. Is it because rh7.3 is too old?
Has nothing to do with it's age, but obviously setup change a bit.
Also, should it be drwxrwxrwt or drwxrwxr-t? should it be
drwxrwxrwt root mail
or
drwxrwxrwt root root?
Neither - I posted you the correct permissions on Thursday!
chmod 775 /var/spool/mail chown root:mail /var/spool/mail
Alexander
drwxrwxrwt root mail
It's because Fedora 1 has a different version of imap than 7.3.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Thanks! But my rh7.3 box has
# ls -ld /var/spool/mail/ drwxr-xr-x 2 root root 4096 Jun 28 08:00 /var/spool/mail/
but never shows any warning message. Is it because rh7.3 is too old?
Also, should it be drwxrwxrwt or drwxrwxr-t? should it be
drwxrwxrwt root mail
or
drwxrwxrwt root root?
Thanks!
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43
/var/spool/mail
# ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must
have
1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct.
What
is wrong? Do I need to change the permission on the mail directory?
if
yes, change it to what?
Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging
Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe:
http://www.redhat.com/mailman/listinfo/fedora-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Alexander,
Yes, I did cahnged the permission on /tmp:
# chmod 1777 /tmp
but never touched /var/spool/mail's permission. Since then, I pay attention to all warning message and found this one. The pine package was download, pine.tar.gz for Unix system, pine4.58. I downloaded pine for RH9, but it does not work. Most users use SquirrelMail and EMUMail, some users use Outlook Express and NetscapeMail, a few people still like pine (that is why I downloaded and installed it). We had a problem when /tmp had wrong permission. Thanks for your help, after I change the permission, these mail tools work normally. But, I see this warning message in system log, LogWatch to the root, and when trying a test account's pine.
Should I remove the pine? Will that make the warning not showing?
Thanks!
Hongwei
Am Mo, den 28.06.2004 schrieb Olga um 16:04:
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
No, the default permissions are proper!
Hongwei, we had exactly that topic on Thursday last week and I explained it to you. So what did you change and how do you use mail? Which pine (source or packager and version) do you use? How else do users read mail? Are the log entries caused by users using pine and a different mail client same time?
Alexander
-- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435 Serendipity 16:12:01 up 1 day, 17:59, load average: 0.48, 0.56, 0.61 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
The log messages have nothing to do with pine. When I installed F1, I did not install pine and was still getting those messages. Changing permissions on /var/spool/mail solved it.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Alexander,
Yes, I did cahnged the permission on /tmp:
# chmod 1777 /tmp
but never touched /var/spool/mail's permission. Since then, I pay attention to all warning message and found this one. The pine package was download, pine.tar.gz for Unix system, pine4.58. I downloaded pine for RH9, but it does not work. Most users use SquirrelMail and EMUMail, some users use Outlook Express and NetscapeMail, a few people still like pine (that is why I downloaded and installed it). We had a problem when /tmp had wrong permission. Thanks for your help, after I change the permission, these mail tools work normally. But, I see this warning message in system log, LogWatch to the root, and when trying a test account's pine.
Should I remove the pine? Will that make the warning not showing?
Thanks!
Hongwei
Am Mo, den 28.06.2004 schrieb Olga um 16:04:
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
No, the default permissions are proper!
Hongwei, we had exactly that topic on Thursday last
week and I explained
it to you. So what did you change and how do you use
mail? Which pine
(source or packager and version) do you use? How else
do users read
mail? Are the log entries caused by users using pine
and a different
mail client same time?
Alexander
-- Alexander Dalloz | Enger, Germany | GPG key
1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel
2.6.6-1.435
Serendipity 16:12:01 up 1 day, 17:59, load average:
0.48, 0.56, 0.61
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe:
http://www.redhat.com/mailman/listinfo/fedora-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
After I set:
# chmod 1777 /var/spool/mail # ls -ld /var/spool/mail* drwxrwxrwt 2 root mail 4096 Jun 28 09:56 /var/spool/mail drwxr-xr-x 3 root root 4096 May 20 15:02 /var/spool/mailman
My SquirrelMail immediately failed and automatically log out with "Login failure error". Then, I checked the system log, and found the followings:
Jun 28 09:57:46 morpheus imap(pam_unix)[29850]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei Jun 28 09:57:49 morpheus imapd[29850]: Login failed user=hongwei auth=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:57:52 morpheus imapd[29850]: Command stream end of file, while reading line user=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:58:05 morpheus imap(pam_unix)[29856]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei Jun 28 09:58:07 morpheus imapd[29856]: Login failed user=hongwei auth=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:58:10 morpheus imapd[29856]: Command stream end of file, while reading line user=hongwei host=localhost.localdomain [127.0.0.1]
I am afraid that other users will immediately complain to me, so I had to put it back as before, then I can use my squirrelmail.
What is wrong? Thanks!
Hongwei
drwxrwxrwt root mail
It's because Fedora 1 has a different version of imap than 7.3.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Thanks! But my rh7.3 box has
# ls -ld /var/spool/mail/ drwxr-xr-x 2 root root 4096 Jun 28 08:00 /var/spool/mail/
but never shows any warning message. Is it because rh7.3 is too old?
Also, should it be drwxrwxrwt or drwxrwxr-t? should it be
drwxrwxrwt root mail
or
drwxrwxrwt root root?
Thanks!
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43
/var/spool/mail
# ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must
have
1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct.
What
is wrong? Do I need to change the permission on the mail directory?
if
yes, change it to what?
Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging
Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe:
http://www.redhat.com/mailman/listinfo/fedora-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Am Mo, den 28.06.2004 schrieb Olga um 16:36:
The log messages have nothing to do with pine. When I installed F1, I did not install pine and was still getting those messages. Changing permissions on /var/spool/mail solved it.
You then use broken software!
I run mail services on FC1 quite a long time now and never had any issues with the default permissions, which are chosen carefully by the Redhat maintainer. If you feel the need to change them this indicates you have a problem on your site with the used software which is certainly not for Fedora.
Alexander
Something else must be wrong with your settings. I have Squirrelmail and Horde IMP running with those permissions for /var/spool/mail (1777) just fine. Individual mailboxes have permissions of 660 in my setup.
You may want to read the following: http://www.washington.edu/imap/IMAP-FAQs/index.html#7.10
After I set:
# chmod 1777 /var/spool/mail # ls -ld /var/spool/mail* drwxrwxrwt 2 root mail 4096 Jun 28 09:56 /var/spool/mail drwxr-xr-x 3 root root 4096 May 20 15:02 /var/spool/mailman
My SquirrelMail immediately failed and automatically log out with "Login failure error". Then, I checked the system log, and found the followings:
Jun 28 09:57:46 morpheus imap(pam_unix)[29850]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei Jun 28 09:57:49 morpheus imapd[29850]: Login failed user=hongwei auth=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:57:52 morpheus imapd[29850]: Command stream end of file, while reading line user=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:58:05 morpheus imap(pam_unix)[29856]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei Jun 28 09:58:07 morpheus imapd[29856]: Login failed user=hongwei auth=hongwei host=localhost.localdomain [127.0.0.1] Jun 28 09:58:10 morpheus imapd[29856]: Command stream end of file, while reading line user=hongwei host=localhost.localdomain [127.0.0.1]
I am afraid that other users will immediately complain to me, so I had to put it back as before, then I can use my squirrelmail.
What is wrong? Thanks!
Hongwei
drwxrwxrwt root mail
It's because Fedora 1 has a different version of imap than 7.3.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Thanks! But my rh7.3 box has
# ls -ld /var/spool/mail/ drwxr-xr-x 2 root root 4096 Jun 28 08:00 /var/spool/mail/
but never shows any warning message. Is it because rh7.3 is too old?
Also, should it be drwxrwxrwt or drwxrwxr-t? should it be
drwxrwxrwt root mail
or
drwxrwxrwt root root?
Thanks!
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
Hi,
We have a fc1 box. We have he permissions setting as:
# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Jun 28 08:43
/var/spool/mail
# ls -ld /tmp drwxrwxrwt 11 root root 24576 Jun 28 08:43 /tmp
The LogWatch always shows the warning:
Mailbox vulnerable - directory /var/spool/mail must
have
1777 protection
When a regular user (except root) opens pine to read mails, he also sees this message at the very beninning for about 1 to 2 seconds. As I understand, the permission drwxrwxr-x is correct.
What
is wrong? Do I need to change the permission on the mail directory?
if
yes, change it to what?
Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging
Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe:
http://www.redhat.com/mailman/listinfo/fedora-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging Program.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Am Mo, den 28.06.2004 schrieb Hongwei Li um 17:16:
After I set:
# chmod 1777 /var/spool/mail # ls -ld /var/spool/mail* drwxrwxrwt 2 root mail 4096 Jun 28 09:56 /var/spool/mail drwxr-xr-x 3 root root 4096 May 20 15:02 /var/spool/mailman
My SquirrelMail immediately failed and automatically log out with "Login failure error". Then, I checked the system log, and found the followings:
Jun 28 09:57:46 morpheus imap(pam_unix)[29850]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei
I am afraid that other users will immediately complain to me, so I had to put it back as before, then I can use my squirrelmail.
What is wrong? Thanks!
Hongwei
Leave the permissions as they are! Use the pine 4.60 RPM by Dag Wieers which is made for FC1 and FC2 and contains some patches to cover locking issues.
http://dag.wieers.com/packages/pine/
Alexander
Am Mo, den 28.06.2004 schrieb Hongwei Li um 17:16:
After I set:
# chmod 1777 /var/spool/mail # ls -ld /var/spool/mail* drwxrwxrwt 2 root mail 4096 Jun 28 09:56 /var/spool/mail drwxr-xr-x 3 root root 4096 May 20 15:02 /var/spool/mailman
My SquirrelMail immediately failed and automatically log out with "Login failure error". Then, I checked the system log, and found the followings:
Jun 28 09:57:46 morpheus imap(pam_unix)[29850]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=127.0.0.1 user=hongwei
I am afraid that other users will immediately complain to me, so I had to put it back as before, then I can use my squirrelmail.
What is wrong? Thanks!
Hongwei
Leave the permissions as they are! Use the pine 4.60 RPM by Dag Wieers which is made for FC1 and FC2 and contains some patches to cover locking issues.
http://dag.wieers.com/packages/pine/
Alexander
Thanks! I will try it.
Hongwei
This is another new user question: I have successfully set up my first Linux system and connected to the internet via dial-up (this is a home system). I was able to get my modem to work by using the Network Device Control dialogue where I was able to configure my modem to dial up my ISP. This works well. When I tried to use KPPP, however, I had a problem. There are a few more settings in KPPP, but I basically took the defaults, entering the ISP info where required. It dials out and connects fine. When I try to use mail or a browser, however, it gives me an error. Does someone have an idea? Is this a permissions issue, or a firewall setting? I've been through the settings in KPPP and tried a couple of alternatives, but they don't seem to make a difference.
Claude Jones WTVS, Leesburg, VA a division of Levit & James, Inc.
I installed the new pine 4.60. When I try a test account's pine, the warning message is gone. Thanks!
However, the system mail log (not message log) shows warning:
Jun 28 11:13:03 morpheus ipop3d[1183]: pop3 service init from 128.252.85.189 Jun 28 11:13:03 morpheus ipop3d[1183]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
after each pop3 user logs in (Outlook Express, etc.), but it seems no warning message after squirrelmail user logs in.
Anything else is wrong? or should be changed. I have never touched the pop3 service, but just set iptables and open the port for it.
Thanks!
Hongwei
Leave the permissions as they are! Use the pine 4.60 RPM by Dag Wieers which is made for FC1 and FC2 and contains some patches to cover locking issues.
http://dag.wieers.com/packages/pine/
Alexander
On Mon, 2004-06-28 at 11:21, Hongwei Li wrote:
I installed the new pine 4.60. When I try a test account's pine, the warning message is gone. Thanks!
However, the system mail log (not message log) shows warning:
Jun 28 11:13:03 morpheus ipop3d[1183]: pop3 service init from 128.252.85.189 Jun 28 11:13:03 morpheus ipop3d[1183]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
after each pop3 user logs in (Outlook Express, etc.), but it seems no warning message after squirrelmail user logs in.
Anything else is wrong? or should be changed. I have never touched the pop3 service, but just set iptables and open the port for it.
Thanks!
Hongwei
My FC2 box has default permissions and does not log these messages
drwxrwxr-x 2 root mail 4096 Jun 28 11:46 /var/spool/mail
The contents of /var/spool/mail are (for each user)
-rw-rw---- 1 user mail 7074 Jun 28 11:58 user
Leave the permissions as they are! Use the pine 4.60 RPM by Dag Wieers which is made for FC1 and FC2 and contains some patches to cover locking issues.
http://dag.wieers.com/packages/pine/
Alexander
Am Mo, den 28.06.2004 schrieb Hongwei Li um 18:21:
I installed the new pine 4.60. When I try a test account's pine, the warning message is gone. Thanks!
Good.
However, the system mail log (not message log) shows warning:
Jun 28 11:13:03 morpheus ipop3d[1183]: pop3 service init from 128.252.85.189 Jun 28 11:13:03 morpheus ipop3d[1183]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
after each pop3 user logs in (Outlook Express, etc.), but it seems no warning message after squirrelmail user logs in.
Anything else is wrong? or should be changed. I have never touched the pop3 service, but just set iptables and open the port for it.
Hongwei
I can confirm that warning messages appear in the log by uw-imapd. Normally I do not offer POP3 to my users, just IMAPs and with that I never had any issue. Now for testing I activated POP3 locally in addition and telneted to it. In result I get the message too:
==> /var/log/imaplog <== Jun 28 19:06:12 blacky ipop3d[14128]: Trying to get mailbox lock from process 29363 Jun 28 19:06:13 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:13 blacky ipop3d[14128]: Login user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207/207 Jun 28 19:06:27 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:27 blacky ipop3d[14128]: Logout user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207 ndele=0
So I suggest checking bugzilla for reports about that. If nothing is in there you might fill in a report yourself. Though I doubt there will be ever a fix as uw-imapd is no more shipped with current FC2. You may switch over to dovecot or disable POP3 and let your users use IMAP. Or you live with the warnings in the log. You too might try setting the permissions "chmod 1777 /var/spool/mail" and see whether you face other problems or errors in any logfile.
Alexander
I can confirm that warning messages appear in the log by uw-imapd. Normally I do not offer POP3 to my users, just IMAPs and with that I never had any issue. Now for testing I activated POP3 locally in addition and telneted to it. In result I get the message too:
==> /var/log/imaplog <=Jun 28 19:06:12 blacky ipop3d[14128]: Trying to get mailbox lock from process 29363 Jun 28 19:06:13 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:13 blacky ipop3d[14128]: Login user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207/207 Jun 28 19:06:27 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:27 blacky ipop3d[14128]: Logout user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207 ndele=0
So I suggest checking bugzilla for reports about that. If nothing is in there you might fill in a report yourself. Though I doubt there will be ever a fix as uw-imapd is no more shipped with current FC2. You may switch over to dovecot or disable POP3 and let your users use IMAP. Or
I do use uw-imapd. What is shipped with fc2? how to switch over to dovecot in fc1? Any document or link I can read? Thanks!
Hongwei
The bug has already been reported:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
I can confirm that warning messages appear in the log by uw-imapd. Normally I do not offer POP3 to my users, just IMAPs and with that I never had any issue. Now for testing I activated POP3 locally in addition and telneted to it. In result I get the message too:
==> /var/log/imaplog <=Jun 28 19:06:12 blacky ipop3d[14128]: Trying to get mailbox lock from process 29363 Jun 28 19:06:13 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:13 blacky ipop3d[14128]: Login user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207/207 Jun 28 19:06:27 blacky ipop3d[14128]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection Jun 28 19:06:27 blacky ipop3d[14128]: Logout user=adalloz host=localhost.localdomain [127.0.0.1] nmsgs=207 ndele=0
So I suggest checking bugzilla for reports about that. If nothing is in there you might fill in a report yourself. Though I doubt there will be ever a fix as uw-imapd is no more shipped with current FC2. You may switch over to dovecot or disable POP3 and let your users use IMAP. Or
I do use uw-imapd. What is shipped with fc2? how to switch over to dovecot in fc1? Any document or link I can read? Thanks!
Hongwei
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
The bug has already been reported:
Thanks! This is very useful! What do you think about the comment in the report page, especailly the 3rd paragraph:
Additional Comment #3 From Mike A. Harris on 2004-02-27 04:58 -------
This warning message from UW imap is 100% bogus. Red Hat does not use the same locking mechanism that is recommended by the UW imap people, because it is inherently more insecure.
All software on the system which accesses the mail spool files must agree upon a common locking mechanism, and must be patched if necessary to all use one single mechanism. Red Hat has been using the same mechanism in all OS releases for many years now, and we have patched UW imap, and UW pine to use our system-wide mechanism for some time now.
UW suggests that the mail spool directory should be mode 1777, which is incredibly insane, as that makes the mail spool directory *world writeable*, and thus subject to local DOS attacks. That is totally unacceptable in a modern Linux/UNIX OS.
The proper fix for this bug, is to patch the UW imap sources to remove this bogus warning/error message, because we do not use the insecure method that UW recommends for mail locking. Doing otherwise, would require patching every single MTA, MDA, and MUA in the entire distribution to do it the ensecure world-writeable way, and we decided a very long time ago that that was not acceptable.
Well, you can either take Red Hat point of view or the University of Washington. You can leave the permissions the way they are, but you will have those messages in the log. If they don't bother you that's ok, but they bugged me. On one test box I also tried installing an older version of imap over the top and that solved the problem for me as well. I didn't have to change permission and there were no messages.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
The bug has already been reported:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
Thanks! This is very useful! What do you think about the comment in the report page, especailly the 3rd paragraph:
Additional Comment #3 From Mike A. Harris on 2004-02-27 04:58 -------
This warning message from UW imap is 100% bogus. Red Hat does not use the same locking mechanism that is recommended by the UW imap people, because it is inherently more insecure.
All software on the system which accesses the mail spool files must agree upon a common locking mechanism, and must be patched if necessary to all use one single mechanism. Red Hat has been using the same mechanism in all OS releases for many years now, and we have patched UW imap, and UW pine to use our system-wide mechanism for some time now.
UW suggests that the mail spool directory should be mode 1777, which is incredibly insane, as that makes the mail spool directory *world writeable*, and thus subject to local DOS attacks. That is totally unacceptable in a modern Linux/UNIX OS.
The proper fix for this bug, is to patch the UW imap sources to remove this bogus warning/error message, because we do not use the insecure method that UW recommends for mail locking. Doing otherwise, would require patching every single MTA, MDA, and MUA in the entire distribution to do it the ensecure world-writeable way, and we decided a very long time ago that that was not acceptable.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Am Mo, den 28.06.2004 schrieb Hongwei Li um 20:27:
I do use uw-imapd. What is shipped with fc2? how to switch over to dovecot in fc1? Any document or link I can read? Thanks!
Hongwei
FC2 ships dovecot and for those needing a very powerful IMAP/POP3 server the Cyrus-IMAPd, which is not that easy to configure and administrate.
If you want to switch over to dovecot that should be no big problem. Dovecot as well handles the mbox format and can use the mail spool directory. You need to uninstall the uw-imapd and install dovecot. Then edit /etc/dovecot.conf to configure it. If using POP3 you need to adjust 2 lines. What to do you find in this list's archive. It was posted recently. Additional help you can find on the dovecot website as well in the manpages.
Alexander
P.S. Thanks to Olga for pointing to the bugzilla entry about the log entries with uw-imapd and POP3 service.
----- Original Message ----- From: "Claude Jones" claude_jones@levitjames.com To: "'For users of Fedora Core releases'" fedora-list@redhat.com Sent: Monday, June 28, 2004 6:15 PM Subject: Connection problem
This is another new user question: I have successfully set up my first
Linux system and
connected to the internet via dial-up (this is a home system). I was able
to get my modem
to work by using the Network Device Control dialogue where I was able to
configure my
modem to dial up my ISP. This works well. When I tried to use KPPP,
however, I had a
problem. There are a few more settings in KPPP, but I basically took the
defaults,
entering the ISP info where required. It dials out and connects fine. When
I try to use
mail or a browser, however, it gives me an error. Does someone have an
idea? Is this a
permissions issue, or a firewall setting? I've been through the settings
in KPPP and tried
a couple of alternatives, but they don't seem to make a difference.
perhaps it is DNS related: The way to go after a connection is made is:
open a local shell ping localhost ping assigned ip number if ok PPP on ip is ok otherwise check ppp settings: password / login, firewall etc ping known DNS server by IP number if ok then your dailin is OK, otherwise check ppp settings: mtu firewall etc etc ping known DNS server by name if not ok you've got a DNS problem look at /etc/resolv.conf there should be a valid dnsserver check for ppp settings: usepeerdns
ping another host by name if not ok change DNS server
Am Mo, den 28.06.2004 schrieb Claude Jones um 18:15:
This is another new user question: I have successfully set up my first Linux system and connected to the internet via dial-up (this is a home system). I was able to get my modem to work by using the Network Device Control dialogue where I was able to configure my modem to dial up my ISP. This works well. When I tried to use KPPP, however, I had a problem. There are a few more settings in KPPP, but I basically took the defaults, entering the ISP info where required. It dials out and connects fine. When I try to use mail or a browser, however, it gives me an error. Does someone have an idea? Is this a permissions issue, or a firewall setting? I've been through the settings in KPPP and tried a couple of alternatives, but they don't seem to make a difference.
Claude Jones
Please don't hijack foreign threads: don't reply to a list mail when you want to post a fresh new one!
Check your /etc/resolv.conf file to have the nameservers of your ISP in there.
Alexander
Fons: Thank you for your help. I had found similar suggestions during my efforts to find a solution by searching the list archives. I will try this when I return home, tonight (machine is new home PC). The thing that was confusing to me was why I would have to configure DNS in KPPP when I didn't have to do so in the Network Device Control dialogue. In the latter, I simply told it to get all info from DHCP and it worked.
Claude Jones
On Mon, 28 Jun 2004 21:52:27 +0200, Fons van der Beek fons@so-o.nl wrote:
----- Original Message ----- From: "Claude Jones" claude_jones@levitjames.com To: "'For users of Fedora Core releases'" fedora-list@redhat.com Sent: Monday, June 28, 2004 6:15 PM Subject: Connection problem
This is another new user question: I have successfully set up my first
Linux system and
connected to the internet via dial-up (this is a home system). I was able
to get my modem
to work by using the Network Device Control dialogue where I was able to
configure my
modem to dial up my ISP. This works well. When I tried to use KPPP,
however, I had a
problem. There are a few more settings in KPPP, but I basically took the
defaults,
entering the ISP info where required. It dials out and connects fine. When
I try to use
mail or a browser, however, it gives me an error. Does someone have an
idea? Is this a
permissions issue, or a firewall setting? I've been through the settings
in KPPP and tried
a couple of alternatives, but they don't seem to make a difference.
perhaps it is DNS related: The way to go after a connection is made is:
open a local shell ping localhost ping assigned ip number if ok PPP on ip is ok otherwise check ppp settings: password / login, firewall etc ping known DNS server by IP number if ok then your dailin is OK, otherwise check ppp settings: mtu firewall etc etc ping known DNS server by name if not ok you've got a DNS problem look at /etc/resolv.conf there should be a valid dnsserver check for ppp settings: usepeerdns
ping another host by name if not ok change DNS server
Alexander: I had received one other private admonition to this effect. It has been duly noted - I hadn't been aware of the problem of doing things in this way. The error shall not be repeated.
Claude Jones
On Mon, 28 Jun 2004 22:16:55 +0200, Alexander Dalloz alexander.dalloz@uni-bielefeld.de wrote:
Am Mo, den 28.06.2004 schrieb Claude Jones um 18:15:
This is another new user question: I have successfully set up my first Linux system and connected to the internet via dial-up (this is a home system). I was able to get my modem to work by using the Network Device Control dialogue where I was able to configure my modem to dial up my ISP. This works well. When I tried to use KPPP, however, I had a problem. There are a few more settings in KPPP, but I basically took the defaults, entering the ISP info where required. It dials out and connects fine. When I try to use mail or a browser, however, it gives me an error. Does someone have an idea? Is this a permissions issue, or a firewall setting? I've been through the settings in KPPP and tried a couple of alternatives, but they don't seem to make a difference.
Claude Jones
Please don't hijack foreign threads: don't reply to a list mail when you want to post a fresh new one!
Check your /etc/resolv.conf file to have the nameservers of your ISP in there.
Alexander
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
On Mon, 2004-06-28 at 14:12, Olga wrote:
Well, you can either take Red Hat point of view or the University of Washington. You can leave the permissions the way they are, but you will have those messages in the log. If they don't bother you that's ok, but they bugged me. On one test box I also tried installing an older version of imap over the top and that solved the problem for me as well. I didn't have to change permission and there were no messages.
Probably the one giving the messages came from some source other than RedHat, and did not have their patches applied. The age of the package would not really be a factor, since the ones from redhat were patched and the ones from other sources were not.
Quoting Hongwei Li hongwei@morpheus.wustl.edu:
The bug has already been reported:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
Thanks! This is very useful! What do you think about the comment in the report page, especailly the 3rd paragraph:
Additional Comment #3 From Mike A. Harris on 2004-02-27 04:58 -------
This warning message from UW imap is 100% bogus. Red Hat does not use the same locking mechanism that is recommended by the UW imap people, because it is inherently more insecure.
All software on the system which accesses the mail spool files must agree upon a common locking mechanism, and must be patched if necessary to all use one single mechanism. Red Hat has been using the same mechanism in all OS releases for many years now, and we have patched UW imap, and UW pine to use our system-wide mechanism for some time now.
UW suggests that the mail spool directory should be mode 1777, which is incredibly insane, as that makes the mail spool directory *world writeable*, and thus subject to local DOS attacks. That is totally unacceptable in a modern Linux/UNIX OS.
The proper fix for this bug, is to patch the UW imap sources to remove this bogus warning/error message, because we do not use the insecure method that UW recommends for mail locking. Doing otherwise, would require patching every single MTA, MDA, and MUA in the entire distribution to do it the ensecure world-writeable way, and we decided a very long time ago that that was not acceptable.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
This message was sent using IMP, the Internet Messaging Program.
On Mon, Jun 28, 2004 at 04:14:05PM +0200, Alexander Dalloz wrote:
Am Mo, den 28.06.2004 schrieb Olga um 16:04:
/var/spool/mail should have the following permissions: drwxrwxrwt (it should have the sticky bit set).
No, the default permissions are proper!
Hongwei, we had exactly that topic on Thursday last week and I explained it to you. So what did you change and how do you use mail? Which pine (source or packager and version) do you use? How else do users read mail? Are the log entries caused by users using pine and a different mail client same time?
This is an old pine problem (and other old style mail tools).
Over the history of mail and mail boxes multiple strategies for locking mail boxes have surfaced. Lock files were once commonly used.
If you are running a current version of pine this should not be an issue!
If you are using an old version or compile a version to use old locking tricks and it needs access to the mail-dir then 1777 is the correct permission bit set.
Since pine is no longer part of Fedora you should be working from current source or from a current trusted repository package! I believe the current version is 4.60-1
http://www.washington.edu/pine/getpine/linux.html
On the above URL I see handy rpm's for Fedora. After installing pine 4.60-1 on a FC2 system I did not see the message about unsafe permissions. I suspect that you have an old version!
I recommend updating this way!
rpm -e pine # could be important if the two packages are built by different folks. rpm -ivh pine-4.60-1.i386.rpm # use the washington-U handy rpm's
In my opinion no dir should be 777. If you need to open it up use 1777, the extra bit gives a little more security. See also tmpdir.
-
Alexander Dalloz -
Bill Pemberton -
Claude Jones -
Fons van der Beek -
Hongwei Li -
Jeff Vian -
olga@urbantimes.net -
Tom Mitchell