Bug 12494 - /var/spool/mail should be 1777 -- Dupes 10678
/var/spool/mail should be 1777 -- Dupes 10678
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: imap (Show other bugs)
6.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
:
: 21126 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-18 20:54 EDT by R P Herrold
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-18 20:54:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description R P Herrold 2000-06-18 20:54:57 EDT
The 'correct' permissions for /var/spool/mail _MUST_ be changed to 1777
here -- the owning package, in order to properly run the imapd.  See the
analysis on Bug 10678.

The 'taint' bit protects the lockfile, and false writes to mail spool
files, when combined with file ownerships.

Linuxconf also needs to have this change fed back to its maintainer as a
'correct' behavior.

As with other 7.0 changes, this is the RIGHT time to make this change.
Comment 1 Alan Cox 2000-08-04 21:52:08 EDT
1777 mail spool directory allows all sorts of unpleasant disk filling attacks,
people making symlinks into the mail spool and worse. Most mail applications are
not hardened against that kind of abuse.

Sure - there should be an sgid external mail-lock helper. I've been trying to
beat this into certain mail package authors for 3 or 4 years. But there isnt and
your cure is worse than the disease, far far worse than the disease
Comment 2 Mike A. Harris 2000-11-20 13:15:01 EST
*** Bug 21126 has been marked as a duplicate of this bug. ***
Comment 3 Mike A. Harris 2000-11-20 13:16:31 EST
*** Bug 21126 has been marked as a duplicate of this bug. ***
Comment 4 Mike A. Harris 2000-11-20 13:18:50 EST
*** Bug 21126 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.