[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#470994: mail_spool default mode is 0660

Josip Rodin <joy@debbugs.entuzijast.net> writes:
> On Sat, Jul 05, 2008 at 04:26:25PM -0700, Russ Allbery wrote:

>> Here is a proposed change to loosen this requirement.  Please comment.
>> One concern that I have with allowing either permission scheme is that
>> if an MUA needs to recreate the spool file, how should it know what
>> permissions to use?

> I guess we should grep the sources of a few MUAs (and MDAs) to see what
> they do. In the meantime, the new phrasing is still much better than the
> current text :)

If someone has time to do that investigation, I think that would be very
worthwhile.

> I guess that the point of that run-on sentence is the understanding that
> packages should not go out of their way to prevent such sysadmin changes,
> so it would make sense to add a full stop after the two options and write
> a proper new sentence about that.

Yeah, I'm not at all sure what this language is really trying to say in
practice.  I took another shot at it below.

> Just a spelling fix - s/principal/the principle/

Thanks; Kerberos creates finger memory and makes it almost impossible for
me to type principle.  :)

diff --git a/policy.sgml b/policy.sgml
index 7d54e29..6969220 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -8062,12 +8062,27 @@ http://localhost/doc/<var>package</var>/<var>filename</var>
 	</p>
 
 	<p>
-	  Mailboxes are generally mode 660
-	  <tt><var>user</var>:mail</tt> unless the system
-	  administrator has chosen otherwise.  A MUA may remove a
-	  mailbox (unless it has nonstandard permissions) in which
-	  case the MTA or another MUA must recreate it if needed.
-	  Mailboxes must be writable by group mail.
+	  Mailboxes are generally either mode 600 and owned by
+	  <var>user</var> or mode 660 and owned by
+	  <tt><var>user</var>:mail</tt><footnote>
+	    There are two traditional permission schemes for mail spools:
+	    mode 600 with all mail delivery done by processes running as
+	    the destination user, or mode 660 and owned by group mail with
+	    mail delivery done by a process running as a system user in
+	    group mail.  Historically, Debian required mode 660 mail
+	    spools to enable the latter model, but that model has become
+	    increasingly uncommon and the principle of least privilege
+	    indicates that mail systems that use the first model should
+	    use permissions of 600.  If delivery to programs is permitted,
+	    it's easier to keep the mail system secure if the delivery
+	    agent runs as the destination user.  Debian Policy therefore
+	    permits either scheme.
+	  </footnote>. The local system administrator may choose a
+	  different permission scheme; packages should not make
+	  assumptions about the permission and ownership of mailboxes
+	  unless required (such as when creating a new mailbox).  A MUA
+	  may remove a mailbox (unless it has nonstandard permissions) in
+	  which case the MTA or another MUA must recreate it if needed.
 	</p>
 
 	<p>

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: