[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: should /var/spool/mail/ have a the sticky bit set? ...

On Sun, Apr 01, 2001 at 11:36:47PM +0000, Miquel van Smoorenburg wrote:
> In article <20010330145235.Z909@plato.local.lan>,
> Ethan Benson  <erbenson@alaska.net> wrote:
> >the problem is you updated to the mailx package in
> >security.debian.org, the old one had a security hole that allowed
> >users to get gid=mail.  since mailx's code is a pile of crap as far as
> >security is concerned debian (and some other distros) just said hell
> >with it and removed the setgid bit altogether.  this means mail can
> >only be used to send mail and not read it (well you can read it, but
> >not delete or write the mailbox in any way) 
> I'm not quite sure if this is correct, but if it is, mailx

read the security advisory, it explains that mailx is too insecure to
be setgid, and that removing setgid in this fix does break its ability
to write mailboxes.  its known and documented.  

> should be converted to use liblockfile .. it solves the
> problem nicely.

yes it should, but i suspect this is too much of a change for the
security team to mess with.  

Ethan Benson

Attachment: pgpb1LChr2UA6.pgp
Description: PGP signature

Reply to: