Bug 769 - Group of binary /usr/bin/inc is "root" - should be "mail"
Group of binary /usr/bin/inc is "root" - should be "mail"
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: nmh (Show other bugs)
5.2
i386 Linux
low Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-01-09 17:20 EST by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-01-10 15:06:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 1999-01-09 17:20:22 EST
This is a minor security concern.
It might also break the ability of "inc" to access the
mail spool.
Comment 1 Jeff Johnson 1999-01-10 11:22:59 EST
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only*
on fcntl style locking on mail boxes. That means that the old
requirement that MUA need write access to the spool directory in
order to implement dot-file locking is no longer necessary. So I
would claim that setgid mail is not required in nmh.

Please reopen this bug with a more complete description of a
reproducible problem if I am mistaken.
Comment 2 Chris Evans 1999-01-10 11:45:59 EST
OK - so maybe sgid mail isn't required.
However, the bug is that sgid root is what the program currently has
and this _definitely_ isn't required. Having it without needing it
is a security concern.
Comment 3 Jeff Johnson 1999-01-10 14:01:59 EST
Thanks for reopening -- I noticed that the setgid root
created a different problem right after closing the original
bug report.

The /usr/bin/inc became setgid root (rather than mail) during
packaging. The setgid is removed in nmh-0.27-3. The security
issues appear minor but are currently being assessed.
Comment 4 Jeff Johnson 1999-01-10 15:06:59 EST
Since there are no known exploits of the /usr/bin/inc setgid root
anomaly, there will not be a security errata to correct this bug
in Red Hat 5.2.

Note You need to log in before you can comment on or make changes to this bug.