[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#3189: nvi over-cautious about .exrc?

Ian Jackson
> > >It is not the business of programs to check the permissions of the
> > >dotfiles in users' home directories.

Bill Mitchell:
> > I agree.  I chased my tail for quite a while some time back because of
> > what I recall as procmail's concern over the permissions on my .forward
> > file.  It didn't complain, it just didn't work as I expected from reading
> > the docs.

Oliver Oberdorf:
> But for a large system with many users (of varying levels of clue) it
> is very beneficial for the SysAdmin that a user can't accidentally create
> a writeable .forward file.

But having one fairly obscure app (procmail) break in a confusing manner
if it encounters a group-writable .forward file doesn't stop users from
creating such a file.  In particular, it does not stop the large majority
of users who don't use procmail.

For a sysadmin to depend on the procmail program to provide security
in this area is futile.  He'd be better off to run a system security
auditing program (cops? others?) , or use a tool like cfengine(1) to
script up a security audit customized to his particular system situation.

For the procmail program to do a less than stellar job of dealing
piecemeal with what it perceives as an isolated possible security
problem is likely to be ineffective and/or counterproductive.

(note: not to pick on procmail specifically here -- it just happens
to be a live example which came to mind)

Reply to: