[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Netscape Mail & /var/spool/mail permissions

I see the problem now - thanks.

I'm not on the developers' list, so I'll miss any responses that aren't

I believe procmail, when configured as the "Mlocal" delivery agent, will
handle improperly owned files at delivery time.  I don't recall if it
renames the prior file, or chowns it - but things end up working out

We use procmail as the local delivery agent on all the mail hubs we set
up these days (sun, sgi, dec).  It's been working nicely.

Nice side effect: users don't need gibberish in their .forward's to use
.procmailrc's, if you set procmail up as the local delivery agent.

Brian C. White wrote:
> > > Second, do _not_ change the permissions of /var/spool/mail.  The permissions
> > > that Netscape suggests introduce a small security hole where one user could
> > > potentially gain complete access to another's mail.  (It's small, but true.)
> > > The permissions in the Debian system are correct.
> >
> > What is the nature of this hole?
> The problem happens like this...
>  - root adds world write permissions to /var/spool/mail
>  - cracker creates file /var/spool/mail/fred with public read/write
>  - new user "fred" is created
>  - cracker and fred (and rest of the world) can read/write fred's mail.
> Networks and NIS could create users on machines where the user doesn't
> actually have a home directory, but to which mail could be specifically
> directed, thus giving the hacker a free and largely untraceable mail
> account.
> There is the additional problem that anyone could also create all
> the files and directories they want under /var/spool/mail.
> > I've run into *ix variants that don't need 1777 mail spools before, but
> > I've never heard of it being a security hole to make their spool 1777.
> >
> > Debian uses sendmail V8, no?  Is it using an oddball delivery agent or
> > something?
> This would affect all systems as far as I can tell.
>                                         Brian
>                                ( bcwhite@verisim.com )
> -------------------------------------------------------------------------------
>     In theory, theory and practice are the same.  In practice, they're not.

Reply to: