Date: Sun, 9 Jun 1996 11:56:10 -0400 (EDT) From: Brian Tao <taob@io.org> To: Ade Barkah <mbarkah@hemi.com> Cc: security@freebsd.org Subject: Re: FreeBSD's /var/mail permissions Message-ID: <Pine.NEB.3.92.960609114819.11452F-100000@zap.io.org> In-Reply-To: <199606090954.DAA11025@hemi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 9 Jun 1996, Ade Barkah wrote: > > But this is what started the thread, right ? With the current scheme > qpop 2.2 will not work with FreeBSD; at least not for new users (it > doesn't have enough permissions to set up the per-mailbox lock file.) There is the general case of wanting non-setuid programs vs. write-protected directories. The POP daemon case was one specific example of that. I already have enough files in /var/mail, so I've always used /var/mail/.tmp (yes, we have a user named tmp@io.org, *sigh*). It is world writeable, but I have a separate mail server that is secured from user logins, so it isn't a problem here. An alternative would be to modify your newuser procedure to touch and chown a .pop lock file for the user and configure your POP server not to remove those files when the user exits. From the qpopper 2.2 install notes: h) KEEP_TEMP_DROP - Keep the .user.pop file around. It can be used to determine when the last time a user has accessed their mail. [...] 3) When qpopper runs it moves your mailspool to a temporary location (.user.pop). The default location is in the mail spool directory. /tmp is an alternative but is consider to be a security risk and a system reboot will probably clear the temporary .user.pop files. For performance reasons a sysadmin who has many users (say 1000 or more) can create a separate spool directory for popper files. /usr/spool/poptemp could be a good choice. Permissions should the same as your mailspool as well as the same owner and group. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960609114819.11452F-100000>