Bug 769 - Group of binary /usr/bin/inc is "root" - should be "mail"
Summary: Group of binary /usr/bin/inc is "root" - should be "mail"
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nmh   
(Show other bugs)
Version: 5.2
Hardware: i386 Linux
low
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-01-09 22:20 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-01-10 20:06:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Chris Evans 1999-01-09 22:20:22 UTC
This is a minor security concern.
It might also break the ability of "inc" to access the
mail spool.

Comment 1 Jeff Johnson 1999-01-10 16:22:59 UTC
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only*
on fcntl style locking on mail boxes. That means that the old
requirement that MUA need write access to the spool directory in
order to implement dot-file locking is no longer necessary. So I
would claim that setgid mail is not required in nmh.

Please reopen this bug with a more complete description of a
reproducible problem if I am mistaken.

Comment 2 Chris Evans 1999-01-10 16:45:59 UTC
OK - so maybe sgid mail isn't required.
However, the bug is that sgid root is what the program currently has
and this _definitely_ isn't required. Having it without needing it
is a security concern.

Comment 3 Jeff Johnson 1999-01-10 19:01:59 UTC
Thanks for reopening -- I noticed that the setgid root
created a different problem right after closing the original
bug report.

The /usr/bin/inc became setgid root (rather than mail) during
packaging. The setgid is removed in nmh-0.27-3. The security
issues appear minor but are currently being assessed.

Comment 4 Jeff Johnson 1999-01-10 20:06:59 UTC
Since there are no known exploits of the /usr/bin/inc setgid root
anomaly, there will not be a security errata to correct this bug
in Red Hat 5.2.


Note You need to log in before you can comment on or make changes to this bug.