75418 – useradd creates group readable/writable mailspool file

Bug 75418 - useradd creates group readable/writable mailspool file

Summary: useradd creates group readable/writable mailspool file

Status:	CLOSED DUPLICATE of bug 59810
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	shadow-utils (Show other bugs)
Sub Component:	(Show other bugs)
Version:	7.3
Hardware:	i386 Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-10-08 10:11 UTC by Jarno Huuskonen
Modified:	2007-03-27 03:57 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-02-21 18:49:47 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch from Owl for securely creating the mailspool file (1.17 KB, patch) 2002-10-08 10:13 UTC, Jarno Huuskonen	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Jarno Huuskonen 2002-10-08 10:11:17 UTC

Description of Problem:
useradd creates /var/spool/mail/username mailspool file with mode 0660, so
if the users primary group is a shared group eg. users then all other group
members can read/write the poor users mails.

Version-Release number of selected component (if applicable):
shadow-utils-20000902-7

How Reproducible:
always

Steps to Reproduce:
1. useradd -g users somebody

Actual Results:
/var/spool/mail/somebody is owned by somebody:users and is mode 0660

Expected Results:
/var/spool/mail/somebody should not be readable/writable by users group !

Additional Information:
This bug is a duplicate of 59810. This one just applies to RH 7.3. I also
checked the latest rawhide shadow-utils and it still has the same buggy
shadow-20000902-mailspool.patch patch.

Owl has a patch for "correctly" creating the mailspool. That patch applies to
shadow-utils-20000902-7 with minimal changes. I'll attach the patch.

Comment 1 Jarno Huuskonen 2002-10-08 10:13:49 UTC

Created attachment 79325 [details]
Patch from Owl for securely creating the mailspool file

Comment 2 Alan Cox 2002-12-18 18:03:50 UTC


*** This bug has been marked as a duplicate of 59810 ***

Comment 3 Red Hat Bugzilla 2006-02-21 18:49:47 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.

TreeView+

- Top of page