[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-setgid mail MUAs

On Mon, 28 Aug 2000, Matt Kraai wrote:

> Policy 3.2.1.0 states that MUAs should be setgid mail.  This is so that
> they can create lockfiles in /var/spool/mail.  This has the unfortunate
> consequence that MUA bugs can be exploited to read the email of other
> users.  A setgid mail locking utility has been added to liblockfile so
> that MUAs that use liblockfile do not need to be setgid mail.

Please don't forget that liblockfile 1.01 (didn't see a newer version
yet) does not provide nfs-safe locking, which violates policy chapter
5.6.  So I dissuade from using liblockfile for MUAs until this problem
is solved (see Bug #43491).

Tschoeeee

        Roland

BTW: Can someone explain me, why a mailbox should has to be group mail
     writable?  Are there any MDAs, which don't run with root
     permission?  With procmail installed, I can safely change the
     mailbox files to permission 600 (owned by the user).

-- 
 * roland@spinnaker.de * http://www.spinnaker.de/ *
Reply to: