On Sun, Feb 22, 1998 at 03:47:15PM -0600, Brian Stark wrote:

> I have recently upgraded from 1.2.1/i386 to 1.3/i386 and each time I try to
> delete mail using the mail program I get the message:
> 
>   "Unable to lock mailbox: Permission denied"

Hm.

The way I like to set things up is as follows:

/var/mail is mode 0775, owned by root.mail

Then, any mail clients you wish to have access /var/mail are set to mode
2711 (or 2755 or 2555 or whatever) with ownership set to root.mail (or
bin.mail or whatever.mail). This, of course, comes after making a mail
group in /etc/group. (I think this would be a nice universal change to
make for NetBSD as a whole, since so many people use this strategy for
securing mail folders.)

Individual mailboxes within /var/mail retain their owners' permissions -
they don't have to be owned by the mail group, since the user accessing
them still has her own access, in addition to the group mail access caused
by the SGID bit on the mail client.

Incidentally, the reason why you don't want sticky bits on your mail folder
is that sticky bits only prevent files from being deleted if someone doesn't
own them. They don't prohibit the arbitrary creation of files. Therefore, if
someone knew that someone else was going to have an account added, they could
create the victim's mailbox themselves, making it mode 0777, and thus gaining
access to the target's mail. It's easy enough to periodically check for the
situation, but I don't see the point where there's an easier and cleaner
solution available for minimal effort. Plus, I don't think every OS supports
sticky bits the same way, whereas I can't think of any reason why the group
mail method would fail anywhere.

Good luck!

-- 
Mason Loring Bliss...mason@acheron.middleboro.ma.us...www.webtrek.com/mason
"In the drowsy dark cave of the mind dreams build their nest with fragments
 dropped from day's caravan."--Rabindranath Tagore...awake ? sleep : dream;