Description of Problem: When a new user account is created by using useradd command, a new empty mailbox is created in /var/spool/mail/newuser with these permissions: -rw-rw---- newuser newgroup But if two (or more) users have the same GID, they can read (and modify) each others mail. Version-Release number of selected component (if applicable): shadow-utils-20000902-12 This is what I found in changelog of shadow-utils: It probably has something to do with the problem mentioned above. * Wed May 23 2001 Bernhard Rosenkraenzer <bero> 20000902-1 - Create an empty mailspool when creating a user so non-setuid/non-setgid MDAs (postfix+procmail) can deliver mail (#41811) How Reproducible: every time Steps to Reproduce: 1. useradd -g users newuser1 2. useradd -g users newuser2 3. Now the newuser1 and newuser2 can read and modify each others mail Actual Results: see above Expected Results: Even if this is done deliberately, I would expect useradd command to WARN about this potential security flaw. Additional Information:
*** This bug has been marked as a duplicate of 59810 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.