Date: Fri, 1 Nov 1996 08:33:20 +0900 (JST) From: Michael Hancock <michaelh@cet.co.jp> To: "Hr.Ladavac" <lada@ws2301.gud.siemens.co.at> Cc: terry@lambert.org, dubois@primate.wisc.edu, current@freebsd.org Subject: Re: /var/mail (was: re: Help, permission problems...) Message-ID: <Pine.SV4.3.95.961101082343.2317A-100000@parkplace.cet.co.jp> In-Reply-To: <199610311259.AA157886749@ws2301.gud.siemens.co.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 31 Oct 1996, Hr.Ladavac wrote: > E-mail message from Michael Hancock contained: > > On Wed, 30 Oct 1996, Terry Lambert wrote: > > > > > > Also, perhaps I missed it in this discussion, but just what *is* > > > > the security problem WRT having /var/mail set to 1777? > > > > > > % id > > > uid=501(terry) gid=20(staff) groups=20(staff), 0(wheel), 552(ncvs) > > > % touch /var/mail/dubois > > > % chmod 644 !$ > > > % ls -l !$ > > > -rw-r--r-- 1 terry wheel 0 Oct 30 17:02 /var/mail/dubois > > > % mail -s "pay me a dollar to unlock your mail" dubois < /dev/null > > > Null message body; hope that's ok > > > % > > > > The work around is to use mailer readers that truncate instead of remove > > the file when all messages have been deleted or moved. > > How about: > > user is not yet there, but will be ... or he didn't receive any mail yet. Got me on the first one, but the prankster has to predict names. It's probably acceptable for a lot of sites. In the second case use an administrative program that sends mail each time an account is created. Regards, Mike Hancock BTW, I'm just playing devil's advocate. I like flock() and proper permissions on /var/mail. What I really prefer is using procmail to delivering to /home/%u/mail/mbox. This requires changes to pop3 and using a mail reader that can look elsewhere more flexibly. Or just use imap and pine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SV4.3.95.961101082343.2317A-100000>