From owner-freebsd-current  Thu Oct 31 05:00:51 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id FAA29855
          for current-outgoing; Thu, 31 Oct 1996 05:00:51 -0800 (PST)
Received: from zwei.siemens.at (zwei.siemens.at [193.81.246.12])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA29831
          for <current@freebsd.org>; Thu, 31 Oct 1996 05:00:43 -0800 (PST)
Received: from sol1.gud.siemens.co.at (root@[10.1.143.100]) by zwei.siemens.at (8.7.5/8.7.3) with SMTP id NAA22258 for <current@freebsd.org>; Thu, 31 Oct 1996 13:59:03 +0100 (MET)
Received: from ws2301.gud.siemens.co.at by sol1.gud.siemens.co.at with smtp
	(Smail3.1.28.1 #7 for <current@freebsd.org>) 
	id m0vIwiy-00021LC; Thu, 31 Oct 96 13:59 MET
Received: by ws2301.gud.siemens.co.at (1.37.109.16/1.37)
	id AA157886749; Thu, 31 Oct 1996 13:59:09 +0100
From: "Hr.Ladavac" <lada@ws2301.gud.siemens.co.at>
Message-Id: <199610311259.AA157886749@ws2301.gud.siemens.co.at>
Subject: Re: /var/mail (was: re: Help, permission problems...)
To: michaelh@cet.co.jp (Michael Hancock)
Date: Thu, 31 Oct 1996 13:59:07 +0100 (MEZ)
Cc: terry@lambert.org, dubois@primate.wisc.edu, current@freebsd.org
In-Reply-To: <Pine.SV4.3.95.961031205150.27396C-100000@parkplace.cet.co.jp> from "Michael Hancock" at Oct 31, 96 08:55:58 pm
X-Mailer: ELM [version 2.4 PL24 ME8a]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

E-mail message from Michael Hancock contained:
> On Wed, 30 Oct 1996, Terry Lambert wrote:
> 
> > > Also, perhaps I missed it in this discussion, but just what *is*
> > > the security problem WRT having /var/mail set to 1777?
> > 
> > % id
> > uid=501(terry) gid=20(staff) groups=20(staff), 0(wheel), 552(ncvs)
> > % touch /var/mail/dubois
> > % chmod 644 !$
> > % ls -l !$
> > -rw-r--r--  1 terry  wheel      0 Oct 30 17:02 /var/mail/dubois
> > % mail -s "pay me a dollar to unlock your mail" dubois < /dev/null
> > Null message body; hope that's ok
> > %
> 
> The work around is to use mailer readers that truncate instead of remove
> the file when all messages have been deleted or moved.

How about:

user is not yet there, but will be ... or he didn't receive any mail yet.

% whoami
nasty

% touch /var/mail/user
% chmod 777 $!
% mail -s "pay me a dollar to make your mail world unreadable" user < /dev/null

Not to mention nice things you can do with symlinks, hardlinks, you-name-it...

/Marino
> 
> Regards,
> 
> 
> Mike Hancock
> 
>