Date: Fri, 07 Jun 1996 10:25:37 -0700 From: Paul Traina <pst@shockwave.com> To: Barnacle Wes <softweyr@xmission.com> Cc: security@freebsd.org Subject: Re: FreeBSD's /var/mail permissions Message-ID: <199606071725.KAA01419@precipice.shockwave.com> In-Reply-To: Your message of "Fri, 07 Jun 1996 09:42:08 MDT." <199606071542.JAA14520@xmission.xmission.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Correction: Most MUAs do not need write access to this directory, so they are not SUID root. They just work on the files. From: Barnacle Wes <softweyr@xmission.com> Subject: Re: FreeBSD's /var/mail permissions > Proposed solution: > I'm considering creating group "mail" and going the setgid route, > so that a program which creates files in /var/mail can be simply > setgid mail. > > This is a well understood mail directory protection mechanism > and employs the "principle of least privilege." From a security standpoint, this is a win. If it were only *one* less suid program, it probably wouldn't be worth bothering with, but with the number of MUAs on the average system these days (elm, pine, emacs, mh, xmh, netscape, various X mailers, etc) this is worth doing. Each of these can be changed from suid to sgid as someone is doing a port update. -- Wes Peters | Yes I am a pirate, two hundred years too late Softweyr | The cannons don't thunder, there's nothing to plunder Consulting | I'm an over forty victim of fate... softweyr@xmission.com | Jimmy Buffett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606071725.KAA01419>