Package: mlock Version: 7:2007b~dfsg-4+lenny3 Followup-For: Bug #450665
The bug is still present on standard Debian Lenny installations with uw-imapd 7:2007b~dfsg-4+lenny3 ipopd 7:2007b~dfsg-4+lenny3 mlock 7:2007b~dfsg-4+lenny3 I suggest to raise the severity of this bug to "serious" or "grave" since failing to lock the mailbox properly may destroy mail. Alternatively, consider fixing the bug, either by compiling imapd and ipop with the correct path of mlock, or by installing mlock with a symbolic link /usr/sbin/mlock --> /usr/bin/mlock Summary of the problem (see also the other reports): imapd/ipop3d is installed sgid mail, but when accessing a mailbox, it has assumed the identity of the user. Therefore dropping a lock file in /var/mail fails (Mailbox vulnerable - directory /var/mail must have 1777 protection), since according to Debian policy, /var/mail has permission drwxrwsr-x, owner root.mail. So imapd/ipop3d falls back to mlock. However, mlock is installed in /usr/bin, whereas the path compiled in in imapd/ipop3d is /usr/sbin. As a work around, one can add the link /usr/sbin/mlock --> /usr/bin/mlock manually, but fixing the bug should be easy. This would also close bug #499189 of ipopd Thanks, Gernot -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages mlock depends on: ii libc6 2.9-6 GNU C Library: Shared libraries mlock recommends no packages. mlock suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
