Re: Bug#3189: nvi over-cautious about .exrc?
Ian Jackson
> > >It is not the business of programs to check the permissions of the
> > >dotfiles in users' home directories.
Bill Mitchell:
> > I agree. I chased my tail for quite a while some time back because of
> > what I recall as procmail's concern over the permissions on my .forward
> > file. It didn't complain, it just didn't work as I expected from reading
> > the docs.
Oliver Oberdorf:
> But for a large system with many users (of varying levels of clue) it
> is very beneficial for the SysAdmin that a user can't accidentally create
> a writeable .forward file.
But having one fairly obscure app (procmail) break in a confusing manner
if it encounters a group-writable .forward file doesn't stop users from
creating such a file. In particular, it does not stop the large majority
of users who don't use procmail.
For a sysadmin to depend on the procmail program to provide security
in this area is futile. He'd be better off to run a system security
auditing program (cops? others?) , or use a tool like cfengine(1) to
script up a security audit customized to his particular system situation.
For the procmail program to do a less than stellar job of dealing
piecemeal with what it perceives as an isolated possible security
problem is likely to be ineffective and/or counterproductive.
(note: not to pick on procmail specifically here -- it just happens
to be a live example which came to mind)
Reply to: