Red Hat Bugzilla – Bug 77385
Last modified: 2007-04-18 12:48:11 EDT
Description of Problem:
When a new user account is created by using useradd command,
a new empty mailbox is created in /var/spool/mail/newuser
with these permissions:
-rw-rw---- newuser newgroup
But if two (or more) users have the same GID, they can read
(and modify) each others mail.
Version-Release number of selected component (if applicable):
This is what I found in changelog of shadow-utils:
It probably has something to do with the problem mentioned
* Wed May 23 2001 Bernhard Rosenkraenzer <email@example.com> 20000902-1
- Create an empty mailspool when creating a user so non-setuid/non-setgid
MDAs (postfix+procmail) can deliver mail (#41811)
Steps to Reproduce:
1. useradd -g users newuser1
2. useradd -g users newuser2
3. Now the newuser1 and newuser2 can read and modify each others mail
Even if this is done deliberately, I would expect useradd command
to WARN about this potential security flaw.
*** This bug has been marked as a duplicate of 59810 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.