Bug#470994: mail_spool default mode is 0660

To: Josip Rodin <joy@debbugs.entuzijast.net>
Cc: 470994@bugs.debian.org
Subject: Bug#470994: mail_spool default mode is 0660
From: Russ Allbery <rra@debian.org>
Date: Sat, 05 Jul 2008 16:26:25 -0700
Message-id: <[🔎] 87mykvvroe.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 470994@bugs.debian.org
In-reply-to: <20080315125826.GA26018@keid.carnet.hr> (Josip Rodin's message of "Sat\, 15 Mar 2008 13\:58\:26 +0100")
References: <20080315002725.GA24253@keid.carnet.hr> <20080315075713.GA24871@torres.zugschlus.de> <20080315125826.GA26018@keid.carnet.hr>

Josip Rodin <joy@debbugs.entuzijast.net> writes:

> Okay, given that I see no rationale for the sentence "Mailboxes must be
> writable by group mail.", I'm reassigning this to debian-policy.

Here is a proposed change to loosen this requirement.  Please comment.
One concern that I have with allowing either permission scheme is that if
an MUA needs to recreate the spool file, how should it know what
permissions to use?

diff --git a/policy.sgml b/policy.sgml
index 24c9072..f794ed5 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -8046,12 +8046,24 @@ http://localhost/doc/<var>package</var>/<var>filename</var>
 	</p>
 
 	<p>
-	  Mailboxes are generally mode 660
-	  <tt><var>user</var>:mail</tt> unless the system
-	  administrator has chosen otherwise.  A MUA may remove a
-	  mailbox (unless it has nonstandard permissions) in which
-	  case the MTA or another MUA must recreate it if needed.
-	  Mailboxes must be writable by group mail.
+	  Mailboxes are generally either owned by <var>user</var> and mode
+	  600 or owned by <tt><var>user</var>:mail</tt> and mode 660
+	  unless the system administrator has chosen otherwise<footnote>
+	    There are two traditional permission schemes for mail spools:
+	    mode 600 with all mail delivery done by processes running as
+	    the destination user, or mode 660 and owned by group mail with
+	    mail delivery done by a process running as a system user in
+	    group mail.  Historically, Debian required mode 660 mail
+	    spools to enable the latter model, but that model has become
+	    increasingly uncommon and principal of least privilege
+	    indicates that mail systems that use the first model should
+	    use permissions of 600.  If delivery to programs is permitted,
+	    it's easier to keep the mail system secure if the delivery
+	    agent runs as the destination user.  Debian Policy therefore
+	    permits either scheme.
+	  </footnote>. A MUA may remove a mailbox (unless it has
+	  nonstandard permissions) in which case the MTA or another MUA
+	  must recreate it if needed.
 	</p>
 
 	<p>

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Bug#470994: mail_spool default mode is 0660
  - From: Josip Rodin <joy@debbugs.entuzijast.net>

Prev by Date: Processed: user debian-policy@packages.debian.org, setting package to debian-policy, usertagging 470994 ...
Next by Date: Processed: user debian-policy@packages.debian.org, setting package to debian-policy, usertagging 489460 ...
Previous by thread: Processed: user debian-policy@packages.debian.org, setting package to debian-policy, usertagging 470994 ...
Next by thread: Bug#470994: mail_spool default mode is 0660
Index(es):
- Date
- Thread