On Wed, 4 Dec 1996, Greg A. Woods wrote:

> Again, this is untrue if a single mailbox access protocol is defined for
> the mail domain.  In fact this should *reduce* the administrator's
> workload, and I would highly recommend it in any case.

In which case you have just as much (or more) work to do retooling your
mail apps to work with this protocol.  And at any rate, you reduce the
flexibility of the non-privileged user to install their own mail software.

> Then don't use NFS -- I wouldn't trust it for mail delivery in the first
> place.  Multi-client mailbox access is an ideal application of something
> like IMAP (or even POP).

But with no other reason but your change to not use NFS, I think you need
a clearer justification for your change before taking away a capability which
is now present.

> > > the system supports the POSIX notion of giving away files on quota-less
> > > filesystems, and /var/mail is on such a filesystem, then life with
> > 
> > But BSD doesn't, and I can think of _no_ good reasons that /var/mail should
> > be required to be quota-less.  In fact, that strikes me as asking for trouble.
> 
> No, *BSD, or at least NetBSD doesn't yet implement the POSIX option of
> allowing non-root chown(2) for filesystems without _POSIX_CHOWN_RESTRICTED.

There is no `yet' here.  _POSIX_CHOWN_RESTRICTED is one conformant behavior
for a file system, and it is the behavior implemented by *BSD for clear
security reasons.

> Just how many systems have you seen which do have quotas enabled, even
> just for /var/mail?  I sometimes see on a peak of a dozen mail machines
> a week, and I only know of a handful that have had quotas enabled.  I've
> implemented them myself on a few more as a quick fix, but they're either
> unusable or difficult to manage on many systems and therefore not used.

All 48 hosts I administer here have quotas enabled for mail and user home
space.  In addition _every_ ISP I have come into contact with has had quotas
on mail and home space, as has every university setting I have encountered.
Requiring /var/mail to be quota-less would be a big downgrade in the security
of this site and many others from D-O-S and nuisance attacks...

> In practice I wouldn't worry about allowing un-restricted chown() even
> with quotas on /var/mail.  If in a well configured environment you would
> forever lose all your mail if you were to chown away your mailbox in
> some vain effort of avoiding the quota or trying to perform a temporary
> denial of service attack on another user by using up their quota.  These
> tricks are also easy to spot in a periodic security scan too, and since
> no long-term damage would happen, I just wouldn't worry about it.

That's fine, but you don't have my user base, and I do not think your solution
scales well to a large variety of common situations.

> > So rarely used?  I've _never_ run a general use system without mail quotas,
> > and know of noone doing so!
> 
> Quotas are far too often ignored in practice.

See the above.  I repeat: I have never run, or seen a general use system without
mail quots.

--
				Jim Wise
				System Administrator
				GSAPP, Columbia University
				jim@santafe.arch.columbia.edu
				http://www.arch.columbia.edu/~jim
				* Finger for PGP public key *