Bug 769

Summary: Group of binary /usr/bin/inc is "root" - should be "mail"
Product: [Retired] Red Hat Linux Reporter: Chris Evans <chris>
Component: nmhAssignee: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: low    
Version: 5.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-01-10 20:06:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chris Evans 1999-01-09 22:20:22 UTC
This is a minor security concern.
It might also break the ability of "inc" to access the
mail spool.

Comment 1 Jeff Johnson 1999-01-10 16:22:59 UTC
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only*
on fcntl style locking on mail boxes. That means that the old
requirement that MUA need write access to the spool directory in
order to implement dot-file locking is no longer necessary. So I
would claim that setgid mail is not required in nmh.

Please reopen this bug with a more complete description of a
reproducible problem if I am mistaken.

Comment 2 Chris Evans 1999-01-10 16:45:59 UTC
OK - so maybe sgid mail isn't required.
However, the bug is that sgid root is what the program currently has
and this _definitely_ isn't required. Having it without needing it
is a security concern.

Comment 3 Jeff Johnson 1999-01-10 19:01:59 UTC
Thanks for reopening -- I noticed that the setgid root
created a different problem right after closing the original
bug report.

The /usr/bin/inc became setgid root (rather than mail) during
packaging. The setgid is removed in nmh-0.27-3. The security
issues appear minor but are currently being assessed.

Comment 4 Jeff Johnson 1999-01-10 20:06:59 UTC
Since there are no known exploits of the /usr/bin/inc setgid root
anomaly, there will not be a security errata to correct this bug
in Red Hat 5.2.