From owner-freebsd-security Mon Jun 25 9:59: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 9611437B401 for ; Mon, 25 Jun 2001 09:59:00 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 25 Jun 2001 09:58:58 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan> From: Jason DiCioccio To: 'Leonard Chung' , security@FreeBSD.ORG Subject: RE: "Correct" permissions on /var/mail? Date: Mon, 25 Jun 2001 09:58:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use the freebsd default, although someone could still fill up /var if they wanted to.. (cat /dev/urandom >/var/mail/`whoami`) But 1777 they could create extra files, no? I'd rather not have a second /tmp.. Cheers, - -JD- - -----Original Message----- From: Leonard Chung [mailto:leonard@ssl.berkeley.edu] Sent: Sunday, June 24, 2001 2:12 PM To: security@FreeBSD.ORG Subject: "Correct" permissions on /var/mail? I was having a debate with a colleague the other day on the correct mode for /var/mail. He claimed that 1777 is more secure than what I've always had (the FreeBSD default of root:mail 775). 1777 gives you the additional benefit of protecting you from compromises on the mail group, but requires that on every machine quotas be installed even for machines with just one or two users. Without quotas, a malicious user could fill up /var/mail creating a DoS for everybody receiving mail off that machine. 775 doesn't protect against compromises of the mail group, but has the added benefit that it protects against a user filling /var/mail inadvertently as they would have to purposely send lots of e-mail. Which do most of you use? Is there a reason /var/mail is initially set to 775 rather than 1777? Thanks, Leonard - -- Leonard Chung - SETI@home - The Search for Extraterrestrial Intelligence @ home http://www.setiathome.ssl.berkeley.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOzdupVCmU62pemyaEQK3RwCgzkfVW04EYczOaPU7bJrNb1RQM2wAn0tI VBfsNr+Jg1j6n+S40M4QXRMA =RbAH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message