Re: Policy: Mail folder creation (Re: Debian mutt package)
On Wed, Dec 09, 1998 at 12:19:06AM +0100, Marco d'Itri wrote:
> On Dec 07, Thomas Roessler <roessler@guug.de> wrote:
> >> 30433 mutt: Mutt doesn't create the user's mail file as dictated by
> >> policy manual
> [...]
> >The reason for this is simple: From a least-privilege point of view,
> >the one and only privileged operation a MUA ever needs to perform is
> >locking and unlocking the spool file. This can nicely be put into
> >an external program, as mutt demostrates. Removing or creating the
> >user's spool file is an additional and unnecessary privileged
> >operation in a configuration like Debian's. It's a security breach
> >on systems with a mode 1777 mail spool.
>
> I think this is a very sensible rationale.
> If noone objects I will reassign the bugs against mutt to the policy
> package.
I think that you may be missing a subtlety of the original report.
Mutt does not remove the spool file. Debian's adduser doesn't create
an empty one when it creates a new user.
>
> --
> ciao,
> Marco
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: