On Sun, Apr 01, 2001 at 11:36:47PM +0000, Miquel van Smoorenburg wrote: > In article <20010330145235.Z909@plato.local.lan>, > Ethan Benson <erbenson@alaska.net> wrote: > >the problem is you updated to the mailx package in > >security.debian.org, the old one had a security hole that allowed > >users to get gid=mail. since mailx's code is a pile of crap as far as > >security is concerned debian (and some other distros) just said hell > >with it and removed the setgid bit altogether. this means mail can > >only be used to send mail and not read it (well you can read it, but > >not delete or write the mailbox in any way) > > I'm not quite sure if this is correct, but if it is, mailx read the security advisory, it explains that mailx is too insecure to be setgid, and that removing setgid in this fix does break its ability to write mailboxes. its known and documented. > should be converted to use liblockfile .. it solves the > problem nicely. yes it should, but i suspect this is too much of a change for the security team to mess with. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp248i2Or2nw.pgp
Description: PGP signature