Re: should /var/spool/mail/ have a the sticky bit set? ...
On Fri, 30 Mar 2001, Ethan Benson wrote:
> On Fri, Mar 30, 2001 at 07:36:23PM -0500, Richard A Nelson wrote:
> > On Fri, 30 Mar 2001, Ethan Benson wrote:
> >
> > > /var/mail into the solaris style world writable /var/mail. except
> > > this is dependent on your MTA, sendmail and exim are broken in that
> > > they insist on creating mailspools mode 660 group=mail which means any
> > > gid=mail exploit compromises every single user's mail spool. i prefer
> > > postfix which creates mailspools mode 600 group=mail.
> >
> > As I'm sure you know, sendmail *never* touches *anything* in /var/mail -
> > that is the MDA's job... procmail, mailagent, deliver, etc..
>
> erm yes, just most/all sendmail setups ive seen seem to have 660
> mailspools, which has always made zero sense to me. (the delivery
> agent should setuid() itself to the target user to do the delivery)
>
> > Ok, sendmail does include a (very little used) default MDA (mail.local),
> > and the behaviour there is changeable... and I'll make *not* do 660 from
> > now on.
>
> what does exim use? last time i installed a quick debian system and
> forget to deselect exim in favor of postfix i noticed it created 660
> mailspools too. why is this ever done anyway?
>
Thanks for the useful info. I have added myself to the mail group and this may or
may not have fixed the problem. In anycase I am able to read and delete the mail.
Previously I could not delete mail. NOt clear whether being in the mail group is
appropriate...
> --
> Ethan Benson
> http://www.alaska.net/~erbenson/
>
Reply to: