Re: 1777 protection for /var/spool/mail???

Thu, 11 Jan 2001 02:27:50 -0800 

On Thu, 11 Jan 2001, gary wrote:

> I'm using RedHat6.2 with sendmail-8.9.3-20
>
> I always get the following message in /var/log/maillog
>
> Jan 11 18:18:08 thongsiek ipop3d[24806]: Mailbox vulnerable - directory
> /var/spo ol/mail must have 1777 protection
>
> what does that mean? it is critical? Any idea? please advise

Your pop server want's to put it's lock file in /var/spool/mail.  There are
2 common way to do this.  Make /var/spool/mail 0775 and owned by root:mail.
Then make your pop daemon (and other mail apps) also owned mail root:mail
and mode 6755 (sguid).  This gives your users, by way of the daemon, write
access to the /var/spool/mail dir so they can write their lock files.  The
down fall here is that it means binaries that run with elevated privleges.

The other alternative is to make your spool directory 1777 and do not give
your mail programs any elevated privleges - they run as the user who's
trying to read their mail.  1777 means you can create and delete files in
the directory but only files that you already own.  The down fall here is
users can DoS other users.  One user can't mess with the mail or the lock
file of another user (files are still created 0600) but they could
pre-emptivly create a lock file for another user.  So the other's users mail
would aways appear locked, and becuase they did not own their 'own' lock
file they'd never be able to unlock it.

A trade off.

The error message you see is most likely from your pop daemon assuming one
scheme is going to be in use when possibly it is acutally the other.  I
beleive RedHat favours the first solution where mail programs are run sgid
to the mail group.  In this case the 'error' message is essentially
harmless - just annoying. :)

M.

P.S. Actually there is a 3rd alternative - put the users mail in their home
directory like qmail and some other MTA/MDA's do but that's not really
relevent here. :)

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road.           Network Operations - Systems Engineer
PO Box 4169, East Brisbane.                       phone: +61 7 3249 2583
Queensland, Australia.                            pgp key id: 0x900E515F




_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to