pop3d seems to want permissions 1777 on /var/spool/mail so that it can create lock files. linuxconf still wants /var/spool/mail to be 0775 (or something similar).
The 1777 is explained in the IMAP FAQ: http://www.washington.edu/imap/IMAP-FAQs/FAQ-00013.html " In order to update a mailbox in the default UNIX format, it is necessary to create a lock file to prevent the mailer from delivering mail while an update is in progress. Some systems use a directory protection of 775, requiring that all mail handling programs be setgid mail; or of 755, requiring that all mail handling programs be setuid root. The IMAP toolkit does not run with any special privileges, and we plan to keep it that way."
Two points: (a) it is much more security conscious to use a short suid or sgid wrapper than to have a world-writeable directory. (Think hard links.) (b) If Redhat decides that 1777 are the right permissions for /var/spool/mail, then they should update the list of permissions in linuxconf.
imap- and pop-daemon run SGID mail on redhat 6.2: $:> ls -l /usr/sbin/{imapd,ipop3d} -rwxr-xr-x 1 root mail 661376 Mar 2 00:47 /usr/sbin/imapd -rwxr-xr-x 1 root mail 623904 Mar 2 00:47 /usr/sbin/ipop3d cu andreas
No Andreas - look more closely: the binaries are owned by the mail group but the SGID bit isn't set. The perms for both are rwxr-xr-x not rwxr-sr-x
A related problem is that the "filesystem" RPM doesn't have /var/spool/mail mode 1777. If you decide that in fact the directory should have that mode, the filesystem RPM needs to be updated.
It should not be 1777, someone needs to check the sgid mail flags on the binaries.
assigned to the new owner
This was either misassigned to nalin, or was not reassigned to me when I began maintaining imap. Reassigning... The /var/spool/mail permissions are properly set to 755 which is correct. This operation is intended, and the warning messages have been squelched in the respective packages. linuxconf is deprecated.
If these messages were really squelched, it looks like there is a regression in RedHat Enterprise Linux ES 3.0 Update 1. I am seeing log messages of the form: Feb 16 14:23:16 sycamore ipop3d[8976]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection The package is imap-2002d-2.rpm from the ES 3.0 Update 1 distribution. The /var/spool/mail directory is (as installed in ES 3.0 Update 1): drwxrwxr-x 2 root mail 4096 Feb 16 14:21 /var/spool/mail I was not seeing these when running 7.2 (with all updates), which I was running until 2/15/04.
This bug report is very ancient and for a no longer supported OS release. If you are experiencing a problem that is similar, file a brand new bug report in bugzilla along with the relevant details, flagged against the product and version you are using. Thanks.