From owner-freebsd-security  Sun Jun  9 16:13:49 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA06921
          for security-outgoing; Sun, 9 Jun 1996 16:13:49 -0700 (PDT)
Received: from sea.campus.luth.se (sea.campus.luth.se [130.240.193.40])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA06914
          for <security@FreeBSD.org>; Sun, 9 Jun 1996 16:13:47 -0700 (PDT)
Received: (from karpen@localhost) by sea.campus.luth.se (8.6.12/8.6.12) id BAA08704 for security@FreeBSD.org; Mon, 10 Jun 1996 01:13:30 +0200
Message-Id: <199606092313.BAA08704@sea.campus.luth.se>
Subject: Re: FreeBSD's /var/mail permissions
To: security@FreeBSD.org
Date: Mon, 10 Jun 1996 01:13:30 +0200 (MET DST)
From: "Mikael Karpberg" <karpen@sea.campus.luth.se>
In-Reply-To: <199606081506.IAA05615@precipice.shockwave.com> from "Paul Traina" at Jun 8, 96 08:06:48 am
X-Mailer: ELM [version 2.4 PL25 ME8b]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> Excellent point. :-(
[...]
>   > Proposed solution:
>   >     I'm considering creating group "mail" and going the setgid route,
>   >     so that a program which creates files in /var/mail can be simply
>   >     setgid mail.
>   > 
>   >     This is a well understood mail directory protection mechanism
>   >     and employs the "principle of least privilege."
>   
>   I don't think so.  Unlike SysV, you cannot chown a file to a user of
>   your will except when being root.  So IMHO this does already mandate
>   the programs that create mail folders to be setuid root.  Given this,
>   there's no sense in using the group `mail' in addition.

Er... Excellent point? Why in the WORLD would you want to chown the files
for? If a program wants to lock the mail file, by creating a lock file, or
move the mailbox to another name and create a new mailbox, or use some form
of temporary file, that file should owned by the same user that is running
the program, and not the user at the terminal beside him, no? ;-) And the
really neat thing is, if he just creates a file in mail with a "setgid mail"
program, it will be created and... *drumroll* ...already be for the right
user! No need to chown, is there? Provided /var/mail is 775 root:mail and
the program is setgid mail. Only mail.local needs to be root still, because
it is not invoked by the user who's mailbox it's going to edit.

Seems the setgid and 775 root:mail /var/mail is the excellent idea, to me.

  /Mikael