Date: Fri, 7 Jun 1996 08:48:17 -0700 From: "Dima Ruban" <dima@sivka.rdy.com> To: Paul Traina <pst@shockwave.com>, security@FreeBSD.ORG Subject: Re: FreeBSD's /var/mail permissions Message-ID: <960607084817.ZM3926@sivka.rdy.com> In-Reply-To: Paul Traina <pst@shockwave.com> "FreeBSD's /var/mail permissions" (Jun 7, 5:39am) References: <199606071239.FAA19708@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 7, 5:39am, Paul Traina wrote: > Subject: FreeBSD's /var/mail permissions > General problem: > Currently, /var/mail is set 0755 and mail.local is setuid root. > Any program which needs to *create* a new file in /var/mail must > be setuid root. Any program which wishes to manipulate a user mail > file needs no special permissions (other than user permissions). > > I consider this a generic bug, even though there's a specific > reason motivating me to change it. > > Specific problem: > Previous versions of the popper port created a temporary file > ".pop.username" in /var/mail as root, and then chowned the file > over to the user. This was changed to avoid a potential race > condition. The file creation is now done at user level. > > When I discussed this with the author of popper, he was adamant > that /var/mail should be 1755 (ala 4.3BSD) or 775 with a group > of mail (ala USG...barf). > > If popper were the only problem, I'd consider chosing a > different directory for this temporary file to be created, such > as /var/tmp. This leads to a new set of problems and I consider > it less secure than maintaining the file in /var/mail as we have > always done. > > Proposed solution: > I'm considering creating group "mail" and going the setgid route, > so that a program which creates files in /var/mail can be simply > setgid mail. Agreed. More than that, something like a year ago (maybe even more) I've created mail group and changed modes on /var/mail. It works just perfect and solve me whole bunch of problems. > > This is a well understood mail directory protection mechanism > and employs the "principle of least privilege." > > Impact: > Programs that expect the current semantics will still work just > fine (we wouldn't need to change elm or mail.local). All we > are doing is allowing setgid mail delivery programs create > access to /var/mail. > > Comments? > > I hate changing permissions on such a vital hunk of FreeBSD without > discussion. Please TRIM THE CC LINE and keep all discussion in > security@freebsd.org as opposed to the other lists. > > Paul > >-- End of excerpt from Paul Traina -- -- dima
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?960607084817.ZM3926>