Date: Tue, 8 Aug 2000 20:16:26 +0200 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: FreeBSD-SECURITY <freebsd-security@freebsd.org> Subject: Re: pine 4.21 port issues? Message-ID: <20000808201626.I261@speedy.gsinet> In-Reply-To: <Pine.BSF.4.21.0008080020001.86895-100000@epsilon.lucida.qc.ca>; from matt@ARPA.MAIL.NET on Tue, Aug 08, 2000 at 12:28:35AM -0400 References: <Pine.BSF.4.21.0008080020001.86895-100000@epsilon.lucida.qc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 08, 2000 at 00:28 -0400, Matt Heckaman wrote:
>
> I reinstalled the pine 4.21 port a few days ago and I suddenly
> was greated with the following notice from it upon reading
> mail:
>
> [Mailbox vulnerable - directory /var/mail must have 1777 protection]
>
> This is a bad thing. The default permissions on FreeBSD for
> /var/mail are root:mail 0775 which, in my opinion, is far
> better than 1777. I'm curious as to why all of the sudden it is
> reporting the mailbox as 'vulnerable'.
Question: How does Pine (or C-Client in this scenario) modify
the mailbox and how does it lock against the MTA delivering into
the box?
The former could be done "in place", but this would be error
prone (at least IMHO). I guess doing a copy-and-modify from
inbox to tempbox and rename-tempbox-to-inbox is the more usual
case. Unless I'm completely wrong and everything is done via
mmapped file handling (especially when mailboxes tend to grow to
some megabytes).
The latter (locking) is more of a problem if the MUA cannot write
into the spool directory.
For locking and for modifications to the inbox via copies and
renaming (or for creating new inboxes upon first invocation) you
need write access to the spool dir. How do you do that with
root.mail and 0775? Do you run your MUAs setgid mail? That's
what I would _not_ prefer. :)
> Pine aso has a new? depend on c-client4.7 which it did not have
> a few months ago to my knowledge, as I have one pine build from
> March 19 that does not have this depend or the mailbox warning.
As long as I can remember (although it's only since pine 3.96:)
pine always used to rely on the c-client lib for mailbox
handling. That's how it could easily be extended to handle
Maildir folders. Maybe the lib's been included in previous
releases or ports and it's just new that the lib's an external
reference since lately. This had the advantage of independent
updatability(sp/id?) of this lib and more ports could make use of
this lib without every port bringing a copy of it's own with it.
I think some pop servers used to build upon c-client, too.
So you end up fetching the same tarballs as before -- pine code
and the c-client code. Before you had it in one(?) package and
now they're separate but dependant packages. And as soon as
other ports use the c-client lib too you end up with reduced
traffic. :)
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000808201626.I261>