Mailbox vulnerable?
Nifty Hat Mitch
mitch48 at sbcglobal.net
Sun Jul 4 05:31:34 UTC 2004
On Mon, Jun 28, 2004 at 04:14:05PM +0200, Alexander Dalloz wrote:
> Am Mo, den 28.06.2004 schrieb Olga um 16:04:
>
> > /var/spool/mail should have the following permissions:
> > drwxrwxrwt (it should have the sticky bit set).
>
> No, the default permissions are proper!
>
> Hongwei, we had exactly that topic on Thursday last week and I explained
> it to you. So what did you change and how do you use mail? Which pine
> (source or packager and version) do you use? How else do users read
> mail? Are the log entries caused by users using pine and a different
> mail client same time?
This is an old pine problem (and other old style mail tools).
Over the history of mail and mail boxes multiple strategies for
locking mail boxes have surfaced. Lock files were once commonly used.
If you are running a current version of pine this should not be an
issue!
If you are using an old version or compile a version to use old
locking tricks and it needs access to the mail-dir then 1777 is the
correct permission bit set.
Since pine is no longer part of Fedora you should be working from
current source or from a current trusted repository package! I
believe the current version is 4.60-1
http://www.washington.edu/pine/getpine/linux.html
On the above URL I see handy rpm's for Fedora. After installing pine
4.60-1 on a FC2 system I did not see the message about unsafe
permissions. I suspect that you have an old version!
I recommend updating this way!
rpm -e pine # could be important if the two packages are built by different folks.
rpm -ivh pine-4.60-1.i386.rpm # use the washington-U handy rpm's
In my opinion no dir should be 777. If you need to open it up use
1777, the extra bit gives a little more security. See also tmpdir.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
More information about the users
mailing list