|Summary:||Group of binary /usr/bin/inc is "root" - should be "mail"|
|Product:||[Retired] Red Hat Linux||Reporter:||Chris Evans <chris>|
|Component:||nmh||Assignee:||David Lawrence <dkl>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||1999-01-10 20:06:18 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Chris Evans 1999-01-09 22:20:22 UTC
This is a minor security concern. It might also break the ability of "inc" to access the mail spool.
Comment 1 Jeff Johnson 1999-01-10 16:22:59 UTC
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only* on fcntl style locking on mail boxes. That means that the old requirement that MUA need write access to the spool directory in order to implement dot-file locking is no longer necessary. So I would claim that setgid mail is not required in nmh. Please reopen this bug with a more complete description of a reproducible problem if I am mistaken.
Comment 2 Chris Evans 1999-01-10 16:45:59 UTC
OK - so maybe sgid mail isn't required. However, the bug is that sgid root is what the program currently has and this _definitely_ isn't required. Having it without needing it is a security concern.
Comment 3 Jeff Johnson 1999-01-10 19:01:59 UTC
Thanks for reopening -- I noticed that the setgid root created a different problem right after closing the original bug report. The /usr/bin/inc became setgid root (rather than mail) during packaging. The setgid is removed in nmh-0.27-3. The security issues appear minor but are currently being assessed.
Comment 4 Jeff Johnson 1999-01-10 20:06:59 UTC
Since there are no known exploits of the /usr/bin/inc setgid root anomaly, there will not be a security errata to correct this bug in Red Hat 5.2.