Date: Fri, 07 Jun 1996 10:25:37 -0700 From: Paul Traina <pst@shockwave.com> To: Barnacle Wes <softweyr@xmission.com> Cc: security@freebsd.org Subject: Re: FreeBSD's /var/mail permissions Message-ID: <199606071725.KAA01419@precipice.shockwave.com> In-Reply-To: Your message of "Fri, 07 Jun 1996 09:42:08 MDT." <199606071542.JAA14520@xmission.xmission.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Correction: Most MUAs do not need write access to this directory,
so they are not SUID root. They just work on the files.
From: Barnacle Wes <softweyr@xmission.com>
Subject: Re: FreeBSD's /var/mail permissions
> Proposed solution:
> I'm considering creating group "mail" and going the setgid route,
> so that a program which creates files in /var/mail can be simply
> setgid mail.
>
> This is a well understood mail directory protection mechanism
> and employs the "principle of least privilege."
From a security standpoint, this is a win. If it were only *one*
less suid program, it probably wouldn't be worth bothering with, but
with the number of MUAs on the average system these days (elm, pine,
emacs, mh, xmh, netscape, various X mailers, etc) this is worth doing.
Each of these can be changed from suid to sgid as someone is doing a
port update.
--
Wes Peters | Yes I am a pirate, two hundred years too late
Softweyr | The cannons don't thunder, there's nothing to plunder
Consulting | I'm an over forty victim of fate...
softweyr@xmission.com | Jimmy Buffett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606071725.KAA01419>