From owner-freebsd-security Mon Jun 25 14:41: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 03E2C37B407 for ; Mon, 25 Jun 2001 14:40:56 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5PLmeT94495; Mon, 25 Jun 2001 14:48:40 -0700 (PDT) (envelope-from fasty) Date: Mon, 25 Jun 2001 14:48:39 -0700 From: faSty To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010625144839.C94318@i-sphere.com> References: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan>; from jdicioccio@epylon.com on Mon, Jun 25, 2001 at 09:58:51AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org True, I would terminate the customer's account out of my server. simple -trev On Mon, Jun 25, 2001 at 09:58:51AM -0700, Jason DiCioccio wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I use the freebsd default, although someone could still fill up /var > if they wanted to.. (cat /dev/urandom >/var/mail/`whoami`) > > But 1777 they could create extra files, no? I'd rather not have a > second /tmp.. > > > Cheers, > - -JD- > > > - -----Original Message----- > From: Leonard Chung [mailto:leonard@ssl.berkeley.edu] > Sent: Sunday, June 24, 2001 2:12 PM > To: security@FreeBSD.ORG > Subject: "Correct" permissions on /var/mail? > > > I was having a debate with a colleague the other day on the correct > mode > for /var/mail. He claimed that 1777 is more secure than what I've > always > had (the FreeBSD default of root:mail 775). > > 1777 gives you the additional benefit of protecting you from > compromises on > the mail group, but requires that on every machine quotas be > installed even > for machines with just one or two users. Without quotas, a malicious > user > could fill up /var/mail creating a DoS for everybody receiving mail > off > that machine. 775 doesn't protect against compromises of the mail > group, > but has the added benefit that it protects against a user filling > /var/mail > inadvertently as they would have to purposely send lots of e-mail. > > Which do most of you use? Is there a reason /var/mail is initially > set to > 775 rather than 1777? > > Thanks, > > Leonard > > > - -- > Leonard Chung - > SETI@home - The Search for Extraterrestrial Intelligence @ home > http://www.setiathome.ssl.berkeley.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBOzdupVCmU62pemyaEQK3RwCgzkfVW04EYczOaPU7bJrNb1RQM2wAn0tI > VBfsNr+Jg1j6n+S40M4QXRMA > =RbAH > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message