Bug#470994: mail_spool default mode is 0660
Josip Rodin <joy@debbugs.entuzijast.net> writes:
> On Sat, Jul 05, 2008 at 04:26:25PM -0700, Russ Allbery wrote:
>> Here is a proposed change to loosen this requirement. Please comment.
>> One concern that I have with allowing either permission scheme is that
>> if an MUA needs to recreate the spool file, how should it know what
>> permissions to use?
> I guess we should grep the sources of a few MUAs (and MDAs) to see what
> they do. In the meantime, the new phrasing is still much better than the
> current text :)
If someone has time to do that investigation, I think that would be very
worthwhile.
> I guess that the point of that run-on sentence is the understanding that
> packages should not go out of their way to prevent such sysadmin changes,
> so it would make sense to add a full stop after the two options and write
> a proper new sentence about that.
Yeah, I'm not at all sure what this language is really trying to say in
practice. I took another shot at it below.
> Just a spelling fix - s/principal/the principle/
Thanks; Kerberos creates finger memory and makes it almost impossible for
me to type principle. :)
diff --git a/policy.sgml b/policy.sgml
index 7d54e29..6969220 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -8062,12 +8062,27 @@ http://localhost/doc/<var>package</var>/<var>filename</var>
</p>
<p>
- Mailboxes are generally mode 660
- <tt><var>user</var>:mail</tt> unless the system
- administrator has chosen otherwise. A MUA may remove a
- mailbox (unless it has nonstandard permissions) in which
- case the MTA or another MUA must recreate it if needed.
- Mailboxes must be writable by group mail.
+ Mailboxes are generally either mode 600 and owned by
+ <var>user</var> or mode 660 and owned by
+ <tt><var>user</var>:mail</tt><footnote>
+ There are two traditional permission schemes for mail spools:
+ mode 600 with all mail delivery done by processes running as
+ the destination user, or mode 660 and owned by group mail with
+ mail delivery done by a process running as a system user in
+ group mail. Historically, Debian required mode 660 mail
+ spools to enable the latter model, but that model has become
+ increasingly uncommon and the principle of least privilege
+ indicates that mail systems that use the first model should
+ use permissions of 600. If delivery to programs is permitted,
+ it's easier to keep the mail system secure if the delivery
+ agent runs as the destination user. Debian Policy therefore
+ permits either scheme.
+ </footnote>. The local system administrator may choose a
+ different permission scheme; packages should not make
+ assumptions about the permission and ownership of mailboxes
+ unless required (such as when creating a new mailbox). A MUA
+ may remove a mailbox (unless it has nonstandard permissions) in
+ which case the MTA or another MUA must recreate it if needed.
</p>
<p>
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: