Bug 75418 – useradd creates group readable/writable mailspool file

Bug 75418 - useradd creates group readable/writable mailspool file

Summary:	useradd creates group readable/writable mailspool file

Status:	CLOSED DUPLICATE of bug 59810

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	shadow-utils (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	i386 Linux

Priority	high Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2002-10-08 06:11 EDT by Jarno Huuskonen
Modified:	2007-03-26 23:57 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-02-21 13:49:47 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch from Owl for securely creating the mailspool file (1.17 KB, patch) 2002-10-08 06:13 EDT, Jarno Huuskonen	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jarno Huuskonen 2002-10-08 06:11:17 EDT

Description of Problem:
useradd creates /var/spool/mail/username mailspool file with mode 0660, so
if the users primary group is a shared group eg. users then all other group
members can read/write the poor users mails.

Version-Release number of selected component (if applicable):
shadow-utils-20000902-7

How Reproducible:
always

Steps to Reproduce:
1. useradd -g users somebody

Actual Results:
/var/spool/mail/somebody is owned by somebody:users and is mode 0660

Expected Results:
/var/spool/mail/somebody should not be readable/writable by users group !

Additional Information:
This bug is a duplicate of 59810. This one just applies to RH 7.3. I also
checked the latest rawhide shadow-utils and it still has the same buggy
shadow-20000902-mailspool.patch patch.

Owl has a patch for "correctly" creating the mailspool. That patch applies to
shadow-utils-20000902-7 with minimal changes. I'll attach the patch.

Comment 1 Jarno Huuskonen 2002-10-08 06:13:49 EDT

Created attachment 79325 [details]
Patch from Owl for securely creating the mailspool file

Comment 2 Alan Cox 2002-12-18 13:03:50 EST


*** This bug has been marked as a duplicate of 59810 ***

Comment 3 Red Hat Bugzilla 2006-02-21 13:49:47 EST

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.