From owner-freebsd-security Tue Aug 8 12:16:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 01DFE37B59E for ; Tue, 8 Aug 2000 12:16:30 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3364 invoked by uid 0); 8 Aug 2000 19:16:27 -0000 Received: from p3ee21628.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.40) by mail.gmx.net with SMTP; 8 Aug 2000 19:16:27 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA04685 for freebsd-security@freebsd.org; Tue, 8 Aug 2000 20:16:27 +0200 Date: Tue, 8 Aug 2000 20:16:26 +0200 From: Gerhard Sittig To: FreeBSD-SECURITY Subject: Re: pine 4.21 port issues? Message-ID: <20000808201626.I261@speedy.gsinet> Mail-Followup-To: FreeBSD-SECURITY References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from matt@ARPA.MAIL.NET on Tue, Aug 08, 2000 at 12:28:35AM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 08, 2000 at 00:28 -0400, Matt Heckaman wrote: > > I reinstalled the pine 4.21 port a few days ago and I suddenly > was greated with the following notice from it upon reading > mail: > > [Mailbox vulnerable - directory /var/mail must have 1777 protection] > > This is a bad thing. The default permissions on FreeBSD for > /var/mail are root:mail 0775 which, in my opinion, is far > better than 1777. I'm curious as to why all of the sudden it is > reporting the mailbox as 'vulnerable'. Question: How does Pine (or C-Client in this scenario) modify the mailbox and how does it lock against the MTA delivering into the box? The former could be done "in place", but this would be error prone (at least IMHO). I guess doing a copy-and-modify from inbox to tempbox and rename-tempbox-to-inbox is the more usual case. Unless I'm completely wrong and everything is done via mmapped file handling (especially when mailboxes tend to grow to some megabytes). The latter (locking) is more of a problem if the MUA cannot write into the spool directory. For locking and for modifications to the inbox via copies and renaming (or for creating new inboxes upon first invocation) you need write access to the spool dir. How do you do that with root.mail and 0775? Do you run your MUAs setgid mail? That's what I would _not_ prefer. :) > Pine aso has a new? depend on c-client4.7 which it did not have > a few months ago to my knowledge, as I have one pine build from > March 19 that does not have this depend or the mailbox warning. As long as I can remember (although it's only since pine 3.96:) pine always used to rely on the c-client lib for mailbox handling. That's how it could easily be extended to handle Maildir folders. Maybe the lib's been included in previous releases or ports and it's just new that the lib's an external reference since lately. This had the advantage of independent updatability(sp/id?) of this lib and more ports could make use of this lib without every port bringing a copy of it's own with it. I think some pop servers used to build upon c-client, too. So you end up fetching the same tarballs as before -- pine code and the c-client code. Before you had it in one(?) package and now they're separate but dependant packages. And as soon as other ports use the c-client lib too you end up with reduced traffic. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message