Date: Fri, 22 Jun 2001 09:45:47 -0700 From: Nick Sayer <nsayer@quack.kfu.com> To: "Karsten W. Rohrbach" <karsten@rohrbach.de> Cc: Nuno Teixeira <nuno.mailinglists@pt-quorum.com>, freebsd-stable@FreeBSD.ORG Subject: Re: /var/mail permissions: 0755 or 01777 ? Message-ID: <3B33763B.5060706@quack.kfu.com> References: <20010621214821.C376-100000@gateway.bogus> <20010622164453.J64624@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Karsten W. Rohrbach wrote: > Nuno Teixeira(nuno.mailinglists@pt-quorum.com)@2001.06.21 21:51:34 +0000: > >>Hello to all, >> >>The FreeBSD default permissions for /var/mail are 0755. >> >>Why is that PINE says that the /var/mail directory is vulnerable and it >>says to change it to 01777 1777 makes it possible for users to create files in /var/mail. The good news is that they can make lock files, which make "simultaneous" delivery and reading more reliable. The bad news is that they can make files named like other people's mailfiles. This can either be an attack on their reader of choice or a denial of service, depending on how smart the client and MDA are. As such, /var/mail is A Bad Thing. Putting mail into a file in the user's home directory is much safer. But the spec is too old to change by this point. So the best idea is to dispense with Unix formatted mail files alltogether. Thus this advice: > use Maildir > faster, simpler, secure -- simply put: better ;-) cyrus is better still, so long as you don't mind _only_ being able to use IMAP to play with your mail. Cyrus is particularly good for companies, as lmtp deliveries result in multiple ccs being hard links rather than separate copies. Great for when Marketing sends 20 copies of a 50M powerpoint presentation. :-) As for MUAs, nothing I've tried has beaten Netscape 4.x yet, although I have switched over to Mozilla and it is close. For non-GUI, I prefer pine despite its tarnished security reputation. Surprisingly enough, a close second place behind Mozilla for me is SquirrelMail in a web browser. It really is good, believe it or not. I would make a port for it, but it's sort of pointless as it's just a bunch of php scripts you unpack into your www data direectory (www.squirrelmail.org if you are curious). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B33763B.5060706>