I apologize for not responding earlier; I was on vacation until Tuesday.
The answer to your question is:
"If I understand your question correctly, the answer is yes. It is OK for
mailbox files in /var/mail to be protected 0600 without any specific group
setting. In fact, this is the normal and expected protection for mailbox
files for the UW c-client library.
"Nothing in any version of Pine, Alpine, UW imapd, ipop3d, or any other UW
c-client based application has any dependency upon a mailbox file being
accessible by group mail.
"c-client based applications run without privileges (including without
setgid mail). Thus, they prefer that the protection of the mail spool
directory, e.g., /var/mail, be the traditional 1777. Although it is
possible to harass another user by creating fake locks, it is difficult to
do this anonymously if the mail spool is located on its own filesystem.
"Some systems set the protection of the mail spool directory to be 775
with the group set to mail. In that case, c-client based applications
require the installation of the external mlock helper tool, which is
distributed as part of the UW IMAP toolkit. mlock runs as setgid mail,
and tries to be as paranoid as possible in making sure that its access is
safe."
On Mon, 17 Mar 2008, Asheesh Laroia wrote:
Dear alpiners,
In Debian, the Policy currently says: "Mailboxes are generally mode 660
user.mail unless the system administrator has chosen otherwise. . . .
Mailboxes must be writable by group mail. "
<http://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-mail-transport-agents>
This refers to the permissions of mbox files in /var/mail/. Josip Rodin is
trying to change this in Debian. In particular, he wants to remove the
requirement that the mbox files be writable by the mail group. I wanted to
ask the UW alpiners:
If Debian used mode 0600 for the mailboxes in /var/mail, would that be okay?
In particular, I'd like to know if it would cause locking problems for alpine
or the UW IMAPd. I'd be curious to also know if older versions of PINE would
also be okay with the changes.
Note that Josip's suggested change is simply to remove the "must be writiable
by group mail" sentence from the Policy, not to make a specific
recommendation. I mention 0600 for the user mbox files as an example; it
seems like the most restrictive the files could be to be useful, so if they
are less restrictive than that (al)pine should be fine as well.
As I understand things, this change would be fine - but better safe than
sorry when changing Policy!
For your entirely optional reading pleasure, the full text of Josip Rodin's
message can be found at
http://permalink.gmane.org/gmane.linux.debian.devel.bugs.general/387931 - I'm
CC:ing the bug so this conversation can be recorded in the right place for
Debian people to review it; please keep the bug on the CC:s. Josip quotes a
message about pine from 1999 that can be found at
http://lists.debian.org/debian-policy/1999/06/msg00108.html ; it seems that
Brock was mistaken, and a response can be found at
http://lists.debian.org/debian-policy/1999/06/msg00124.html .
-- Asheesh.
--
Q: What do you call a boomerang that doesn't come back?
A: A stick.
_______________________________________________
Alpine-info mailing list
[EMAIL PROTECTED]
https://mailman1.u.washington.edu/mailman/listinfo/alpine-info
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
