Bug#470994: mail_spool default mode is 0660
On Tue, Mar 18, 2008 at 09:50:09AM -0700, Russ Allbery wrote:
> Josip Rodin <firstname.lastname@example.org> writes:
> > On Mon, Mar 17, 2008 at 09:56:52PM -0700, Russ Allbery wrote:
> >> I don't know what the original Debian rationale was, but the
> >> traditional UNIX rationale for group-writable user mail spools is so
> >> that you don't have to run your mail system as root and can instead run
> >> it as some other user in group mail.
> >> However, everyone seems to have given up on that or at least uses a
> >> setuid-root MDA, so I'm not sure it's serving any real purpose at this
> >> point.
> > Or they don't use root at all for the MDA, instead setuid'ing to the
> > user itself. See also #405584.
> In order to deliver mail as the user, *something* has to be either running
> as root or setuid. That's basically my point.
That's why I said no root for MDA - it's there for the MTA :)
> Group-writable mail spools allow the entire mail delivery chain to never
> run as root (with the possible exception of binding to port 25 if you want
> to accept incoming SMTP traffic), as long as you don't care about
> forwarding to programs.
> I don't know if we care about supporting this, though.
Right. I don't think I've ever actually seen such an implementation.
So it doesn't seem to make sense to enforce this by way of a "must"
directive in the policy manual, and at the expense of user privacy
in case of security problems.
2. That which causes joy or happiness.