From owner-freebsd-security  Sun Jun 24 14: 0:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pltn13.pbi.net (mta8.pltn13.pbi.net [64.164.98.22])
	by hub.freebsd.org (Postfix) with ESMTP id A3CB337B409
	for <security@FreeBSD.ORG>; Sun, 24 Jun 2001 14:00:50 -0700 (PDT)
	(envelope-from leonard@ssl.berkeley.edu)
Received: from zeus.berkeley.edu ([206.170.1.101])
 by mta8.pltn13.pbi.net (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTP id <0GFG00A82D17K5@mta8.pltn13.pbi.net> for security@FreeBSD.ORG;
 Sun, 24 Jun 2001 14:00:48 -0700 (PDT)
Date: Sun, 24 Jun 2001 14:11:54 -0700
From: Leonard Chung <leonard@ssl.berkeley.edu>
Subject: "Correct" permissions on /var/mail?
X-Sender: leonard@chung.yikes.com (Unverified)
To: security@FreeBSD.ORG
Message-id: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com>
MIME-version: 1.0
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7BIT
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I was having a debate with a colleague the other day on the correct mode 
for /var/mail. He claimed that 1777 is more secure than what I've always 
had (the FreeBSD default of root:mail 775).

1777 gives you the additional benefit of protecting you from compromises on 
the mail group, but requires that on every machine quotas be installed even 
for machines with just one or two users. Without quotas, a malicious user 
could fill up /var/mail creating a DoS for everybody receiving mail off 
that machine. 775 doesn't protect against compromises of the mail group, 
but has the added benefit that it protects against a user filling /var/mail 
inadvertently as they would have to purposely send lots of e-mail.

Which do most of you use? Is there a reason /var/mail is initially set to 
775 rather than 1777?

Thanks,

Leonard


--
Leonard Chung - <leonard@ssl.berkeley.edu>
SETI@home - The Search for Extraterrestrial Intelligence @ home
http://www.setiathome.ssl.berkeley.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message