From owner-freebsd-security Fri Jun 7 09:01:01 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA26540 for security-outgoing; Fri, 7 Jun 1996 09:01:01 -0700 (PDT) Received: from sivka.rdy.com (sivka.rdy.com [205.149.182.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA26527 for ; Fri, 7 Jun 1996 09:00:54 -0700 (PDT) Received: from dima@localhost by sivka.rdy.com id IAA03928; (8.7/RDY) Fri, 7 Jun 1996 08:48:17 -0700 (PDT) From: "Dima Ruban" Message-Id: <960607084817.ZM3926@sivka.rdy.com> Date: Fri, 7 Jun 1996 08:48:17 -0700 In-Reply-To: Paul Traina "FreeBSD's /var/mail permissions" (Jun 7, 5:39am) References: <199606071239.FAA19708@precipice.shockwave.com> Organization: HackerDome, Inc. X-Mailer: Z-Mail (4.0b.514 14may96) To: Paul Traina , security@FreeBSD.ORG Subject: Re: FreeBSD's /var/mail permissions MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Jun 7, 5:39am, Paul Traina wrote: > Subject: FreeBSD's /var/mail permissions > General problem: > Currently, /var/mail is set 0755 and mail.local is setuid root. > Any program which needs to *create* a new file in /var/mail must > be setuid root. Any program which wishes to manipulate a user mail > file needs no special permissions (other than user permissions). > > I consider this a generic bug, even though there's a specific > reason motivating me to change it. > > Specific problem: > Previous versions of the popper port created a temporary file > ".pop.username" in /var/mail as root, and then chowned the file > over to the user. This was changed to avoid a potential race > condition. The file creation is now done at user level. > > When I discussed this with the author of popper, he was adamant > that /var/mail should be 1755 (ala 4.3BSD) or 775 with a group > of mail (ala USG...barf). > > If popper were the only problem, I'd consider chosing a > different directory for this temporary file to be created, such > as /var/tmp. This leads to a new set of problems and I consider > it less secure than maintaining the file in /var/mail as we have > always done. > > Proposed solution: > I'm considering creating group "mail" and going the setgid route, > so that a program which creates files in /var/mail can be simply > setgid mail. Agreed. More than that, something like a year ago (maybe even more) I've created mail group and changed modes on /var/mail. It works just perfect and solve me whole bunch of problems. > > This is a well understood mail directory protection mechanism > and employs the "principle of least privilege." > > Impact: > Programs that expect the current semantics will still work just > fine (we wouldn't need to change elm or mail.local). All we > are doing is allowing setgid mail delivery programs create > access to /var/mail. > > Comments? > > I hate changing permissions on such a vital hunk of FreeBSD without > discussion. Please TRIM THE CC LINE and keep all discussion in > security@freebsd.org as opposed to the other lists. > > Paul > >-- End of excerpt from Paul Traina -- -- dima