Josip Rodin <[EMAIL PROTECTED]> writes: > On Sat, Jul 05, 2008 at 04:26:25PM -0700, Russ Allbery wrote:
>> Here is a proposed change to loosen this requirement. Please comment. >> One concern that I have with allowing either permission scheme is that >> if an MUA needs to recreate the spool file, how should it know what >> permissions to use? > I guess we should grep the sources of a few MUAs (and MDAs) to see what > they do. In the meantime, the new phrasing is still much better than the > current text :) If someone has time to do that investigation, I think that would be very worthwhile. > I guess that the point of that run-on sentence is the understanding that > packages should not go out of their way to prevent such sysadmin changes, > so it would make sense to add a full stop after the two options and write > a proper new sentence about that. Yeah, I'm not at all sure what this language is really trying to say in practice. I took another shot at it below. > Just a spelling fix - s/principal/the principle/ Thanks; Kerberos creates finger memory and makes it almost impossible for me to type principle. :) diff --git a/policy.sgml b/policy.sgml index 7d54e29..6969220 100644 --- a/policy.sgml +++ b/policy.sgml @@ -8062,12 +8062,27 @@ http://localhost/doc/<var>package</var>/<var>filename</var> </p> <p> - Mailboxes are generally mode 660 - <tt><var>user</var>:mail</tt> unless the system - administrator has chosen otherwise. A MUA may remove a - mailbox (unless it has nonstandard permissions) in which - case the MTA or another MUA must recreate it if needed. - Mailboxes must be writable by group mail. + Mailboxes are generally either mode 600 and owned by + <var>user</var> or mode 660 and owned by + <tt><var>user</var>:mail</tt><footnote> + There are two traditional permission schemes for mail spools: + mode 600 with all mail delivery done by processes running as + the destination user, or mode 660 and owned by group mail with + mail delivery done by a process running as a system user in + group mail. Historically, Debian required mode 660 mail + spools to enable the latter model, but that model has become + increasingly uncommon and the principle of least privilege + indicates that mail systems that use the first model should + use permissions of 600. If delivery to programs is permitted, + it's easier to keep the mail system secure if the delivery + agent runs as the destination user. Debian Policy therefore + permits either scheme. + </footnote>. The local system administrator may choose a + different permission scheme; packages should not make + assumptions about the permission and ownership of mailboxes + unless required (such as when creating a new mailbox). A MUA + may remove a mailbox (unless it has nonstandard permissions) in + which case the MTA or another MUA must recreate it if needed. </p> <p> -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
