Date: Sat, 8 Jun 1996 17:26:32 -0600 From: Nate Williams <nate@sri.MT.net> To: Mattias Pantzare <pantzer@ludd.luth.se> Cc: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= <ache@astral.msk.su>, pst@shockwave.com, security@FreeBSD.org Subject: Re: FreeBSD's /var/mail permissions Message-ID: <199606082326.RAA05044@rocky.sri.MT.net> In-Reply-To: <Pine.SUN.3.91.960608210807.3126A-100000@max.ludd.luth.se> References: <199606080732.LAA00950@astral.msk.su> <Pine.SUN.3.91.960608210807.3126A-100000@max.ludd.luth.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Why should adduser send any mail to anybody? Rather silly if you ask me. > > > > Because bad guy can pre-create upcoming user mailbox with 666 permissions. > > Not if the adduser script creates it. To remove the option on sending a mail > to the new user fills no function. This assumes that 'adduser' is the only tool used to create passwords, which it isn't by any stretch of the imagination. Closing the hole by "forcing" people to addusers with a tool that doesn't necessary reflect local policy is not a good solution. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606082326.RAA05044>