Bug 427561

Summary: alpine warns about 1777 protection on /var/spool/mail at startup
Product: [Fedora] Fedora Reporter: Ben Webb <ben>
Component: alpineAssignee: Joshua Daniel Franklin <joshuadfranklin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8CC: hugh, jima, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: alpine-2.02-3.el4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-11 18:17:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Webb 2008-01-04 18:46:32 UTC 
Description of problem:
Every time alpine starts up, I get the message:

 [Folder vulnerable - directory /var/spool/mail must have 1777 protection]


Version-Release number of selected component (if applicable):
alpine-1.00-2.fc8

How reproducible:
Always.


Steps to Reproduce:
1. Start up alpine.
  
Actual results:
Alpine warns
 [Folder vulnerable - directory /var/spool/mail must have 1777 protection]


Expected results:
Alpine works without warnings with the normal system permissions (775 on my
system). I would rather not make /var/spool/mail world-writable (even with the
sticky bit). If that's the only solution, presumably the Fedora-installed
default permissions should be changed.

Additional info:
http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=414264 describes the same
issue. We were previously using pine 4.64 (from the old Dag repository) which
did not have this problem. Since /usr/bin/pine in that package is not setgid
mail, I suspect it includes a patch to either fix the locking or just ignore the
warning.
Comment 1 Joshua Daniel Franklin 2008-01-08 21:55:50 UTC 
Rex, what did you do with livna pine on this issue?
Comment 2 Rex Dieter 2008-01-08 23:20:08 UTC 
nothing.
Comment 3 Ben Webb 2008-01-08 23:43:46 UTC 
In case it wasn't obvious, our users run pine/alpine directly on our mail
server, so it accesses the mailboxes directly, not via IMAP.

Does the "nothing" in comment #2 mean that Livna pine also reports the same
warning, and users are just supposed to ignore it, or that no patch was
necessary because for some reason pine doesn't have this warning?
Comment 4 Rex Dieter 2008-01-08 23:49:16 UTC 
sorry, too terse, second try.  Yes, pine had the same error/warning, and I did
nothing to address this there.
Comment 5 Rex Dieter 2008-01-09 00:55:48 UTC 
Ben, this warning is likely coming from the imap server, not the clients running
alpine.  Are you using uw-imap?
Comment 6 Ben Webb 2008-01-09 01:03:10 UTC 
No, that's impossible, because alpine is accessing the mailboxes directly, not
via IMAP. See comment #3.
Comment 7 Rex Dieter 2008-01-09 01:09:34 UTC 
my bad. :)
Comment 8 Ben Webb 2008-01-09 01:27:01 UTC 
OK, so I poked around in the dag pine package some more, and found that it does
include patches to fix the locking:
http://dag.wieers.com/rpm/packages/pine/pine.spec

I'm not familiar with the pine/alpine code, but it looks like they're making it
use flock or fcntl somewhere.
Comment 9 Joshua Daniel Franklin 2008-01-09 18:23:48 UTC 
Yes, Dag's pine is *heavily* patched. We want to stay as close as possible to
upstream though.

Rex, it looks like uw-imap-utils includes setgid mail mlock. Ben, can you see if
installing uw-imap-utils makes alpine quiet down?
Comment 10 Rex Dieter 2008-01-09 18:34:30 UTC 
I think it'll issue the warning regardless, but I'd love to be wrong.
Comment 11 Joshua Daniel Franklin 2008-01-09 20:29:20 UTC 
Well I found at least one distro is patching this issue:

http://www.mail-archive.com/pld-cvs-commit@lists.pld-linux.org/msg117316.html

MRC has this message in alpine-1.00/imap/src/osdep/unix/env_unix.c :

/* Note: setting disableLockWarning means that you assert that the
 * so-modified copy of this software will NEVER be used:
 *  1) in conjunction with any software which expects .lock files
 *  2) to access NFS-mounted files and directories
 *
 * Unless both of these conditions apply, then do not set this flag.
 * Instead, read the FAQ (item 7.10) and either use 1777 protection
 * on the mail spool, or install mlock.
 *
 * In addition, by setting this flag you also agree that you are fully
 * legally and morally responsible when (not if) mail files are damaged
 * as the result of your choice.
 *
 * The mlock tool exists for a reason.  Use it.
 */
Comment 12 Ben Webb 2008-01-11 01:57:58 UTC 
(In reply to comment #9)

I agree - it'd be great not to have huge patches in the package. The Dag pine
package also includes a setgid mail mlock, so that's probably what makes it
work. I tried the uw-imap-utils package, and yes - the alpine warning does
subsequently go away. So that seems like a perfect solution, thanks! (Perhaps
it's too much to have the alpine package require uw-imap-utils, but it could be
recommended in the docs or package description.)
Comment 13 Joshua Daniel Franklin 2008-01-11 18:17:22 UTC 
Great! I'll make a note that uw-imap-utils is suggested if you're running alpine
against a local /var/spool/mail/ INBOX. (By the way, alpine and uw-imap share
the same IMAP processing code, so it's the same mlock.) I'll close this bug as
NOTABUG too.
Comment 14 Fedora Update System 2011-12-29 15:44:00 UTC 
alpine-2.02-3.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/alpine-2.02-3.el4
Comment 15 Fedora Update System 2012-01-15 23:21:42 UTC 
alpine-2.02-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 D. Hugh Redelmeier 2023-05-23 14:39:39 UTC 
I have this problem on Fedora 38:  alpine-2.26-3.fc38.x86_64

I have had this problem for a long time.
I usually give in and chmod /var/spool/mail to 1777.  This seems wrong.

What is the correct fix?