Bug 427561 - alpine warns about 1777 protection on /var/spool/mail at startup
alpine warns about 1777 protection on /var/spool/mail at startup
Product: Fedora
Classification: Fedora
Component: alpine (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Joshua Daniel Franklin
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-01-04 13:46 EST by Ben Webb
Modified: 2012-01-15 18:21 EST (History)
2 users (show)

See Also:
Fixed In Version: alpine-2.02-3.el4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-11 13:17:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ben Webb 2008-01-04 13:46:32 EST
Description of problem:
Every time alpine starts up, I get the message:

 [Folder vulnerable - directory /var/spool/mail must have 1777 protection]

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start up alpine.
Actual results:
Alpine warns
 [Folder vulnerable - directory /var/spool/mail must have 1777 protection]

Expected results:
Alpine works without warnings with the normal system permissions (775 on my
system). I would rather not make /var/spool/mail world-writable (even with the
sticky bit). If that's the only solution, presumably the Fedora-installed
default permissions should be changed.

Additional info:
http://bugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=414264 describes the same
issue. We were previously using pine 4.64 (from the old Dag repository) which
did not have this problem. Since /usr/bin/pine in that package is not setgid
mail, I suspect it includes a patch to either fix the locking or just ignore the
Comment 1 Joshua Daniel Franklin 2008-01-08 16:55:50 EST
Rex, what did you do with livna pine on this issue?
Comment 2 Rex Dieter 2008-01-08 18:20:08 EST
Comment 3 Ben Webb 2008-01-08 18:43:46 EST
In case it wasn't obvious, our users run pine/alpine directly on our mail
server, so it accesses the mailboxes directly, not via IMAP.

Does the "nothing" in comment #2 mean that Livna pine also reports the same
warning, and users are just supposed to ignore it, or that no patch was
necessary because for some reason pine doesn't have this warning?
Comment 4 Rex Dieter 2008-01-08 18:49:16 EST
sorry, too terse, second try.  Yes, pine had the same error/warning, and I did
nothing to address this there.
Comment 5 Rex Dieter 2008-01-08 19:55:48 EST
Ben, this warning is likely coming from the imap server, not the clients running
alpine.  Are you using uw-imap?
Comment 6 Ben Webb 2008-01-08 20:03:10 EST
No, that's impossible, because alpine is accessing the mailboxes directly, not
via IMAP. See comment #3.
Comment 7 Rex Dieter 2008-01-08 20:09:34 EST
my bad. :)
Comment 8 Ben Webb 2008-01-08 20:27:01 EST
OK, so I poked around in the dag pine package some more, and found that it does
include patches to fix the locking:

I'm not familiar with the pine/alpine code, but it looks like they're making it
use flock or fcntl somewhere.
Comment 9 Joshua Daniel Franklin 2008-01-09 13:23:48 EST
Yes, Dag's pine is *heavily* patched. We want to stay as close as possible to
upstream though.

Rex, it looks like uw-imap-utils includes setgid mail mlock. Ben, can you see if
installing uw-imap-utils makes alpine quiet down?
Comment 10 Rex Dieter 2008-01-09 13:34:30 EST
I think it'll issue the warning regardless, but I'd love to be wrong.
Comment 11 Joshua Daniel Franklin 2008-01-09 15:29:20 EST
Well I found at least one distro is patching this issue:


MRC has this message in alpine-1.00/imap/src/osdep/unix/env_unix.c :

/* Note: setting disableLockWarning means that you assert that the
 * so-modified copy of this software will NEVER be used:
 *  1) in conjunction with any software which expects .lock files
 *  2) to access NFS-mounted files and directories
 * Unless both of these conditions apply, then do not set this flag.
 * Instead, read the FAQ (item 7.10) and either use 1777 protection
 * on the mail spool, or install mlock.
 * In addition, by setting this flag you also agree that you are fully
 * legally and morally responsible when (not if) mail files are damaged
 * as the result of your choice.
 * The mlock tool exists for a reason.  Use it.
Comment 12 Ben Webb 2008-01-10 20:57:58 EST
(In reply to comment #9)

I agree - it'd be great not to have huge patches in the package. The Dag pine
package also includes a setgid mail mlock, so that's probably what makes it
work. I tried the uw-imap-utils package, and yes - the alpine warning does
subsequently go away. So that seems like a perfect solution, thanks! (Perhaps
it's too much to have the alpine package require uw-imap-utils, but it could be
recommended in the docs or package description.)
Comment 13 Joshua Daniel Franklin 2008-01-11 13:17:22 EST
Great! I'll make a note that uw-imap-utils is suggested if you're running alpine
against a local /var/spool/mail/ INBOX. (By the way, alpine and uw-imap share
the same IMAP processing code, so it's the same mlock.) I'll close this bug as
Comment 14 Fedora Update System 2011-12-29 10:44:00 EST
alpine-2.02-3.el4 has been submitted as an update for Fedora EPEL 4.
Comment 15 Fedora Update System 2012-01-15 18:21:42 EST
alpine-2.02-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.