From owner-freebsd-security Sat Jun 8 08:05:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA27523 for security-outgoing; Sat, 8 Jun 1996 08:05:43 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA27503 for ; Sat, 8 Jun 1996 08:05:40 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id IAA05536; Sat, 8 Jun 1996 08:04:43 -0700 (PDT) Message-Id: <199606081504.IAA05536@precipice.shockwave.com> To: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chernov, Black Mage) cc: pantzer@ludd.luth.se (Mattias Pantzare), security@FreeBSD.org Subject: Re: FreeBSD's /var/mail permissions In-reply-to: Your message of "Sat, 08 Jun 1996 11:32:35 +0400." <199606080732.LAA00950@astral.msk.su> Date: Sat, 08 Jun 1996 08:04:43 -0700 From: Paul Traina Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk But bad guy can't, because /var/mail is 755 From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (aka Andrey A. Chern >>ov, Black Mage) Subject: Re: FreeBSD's /var/mail permissions > > I'm confused, why do you say adduser must create new user mailbox? > > Mail.local is already suid root and adduser should deliver a preformatted > > mail message with mail.local. > > Why should adduser send any mail to anybody? Rather silly if you ask me. Because bad guy can pre-create upcoming user mailbox with 666 permissions. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - http://dt.demos.su/~ache : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849