[ On Sunday, June 29, 2003 at 23:33:07 (-0400), Andrew Brown wrote: ]
> Subject: Re: daily (& security) mail not delivered
>
> "Greg A. woods" <woods@weird.com> wrote:
> > It would be even smarter to also store mail in /var/mail by group-write
> > privileges alone with only the initial creation of mailbox spool file
> > requiring any privilege and that can be done just once at account
> > creation time -- this way even mail.local would not have to be
> > super-user, but rather just set-group-id to "mail" (a group-ID unique to
> > mail.local, of course).
> 
> been there, tried that.  there's a whole host of "other" problems with
> that, not the least of which is that in order for the user to read
> their mail while mail.local can write to it, the user really needs to
> "own" that file, which means that they can easily block themselves
> from getting new mail.

Huh?  The user owns their own mail spool file now!

Obviously the user would still own their own mail spool file if it were
group writable for the LDA, but it would have a group ownership of
"mail" and of course be group writable.  The /var/mail directory on the
other hand would be mode 755 (or even 711) and owned by root:wheel.

Obviously the user can hose themselves and prevent local delivery to
their mailbox by changing it's permissions -- but they can do that
anyway in any number of ways, even just by screwing up the locking
protocol when they write to or truncate their spool file (or messing
with their ~.forward file, etc.).  It's not entirely beyond reason to
expect the mailer to treat permissions problems as "temporary" errors
and to keep mail for the luser in the queue until either it times out or
the luser or root fixes his or her spool file permissions.

Group writability has worked just fine for mail spool files for decades
in other unix variants.

(systems without quotas can even have the LDA create the spool file and
then chown it to the right user, but so long as the same privileged user
which creates the user's account and home directory also creates the
mail spool file at the same time then this ability is not needed for *BSD)

> imho, it's not worth the effort.

There have been severs security bugs, some major, in various mail.local
implementations over the years, even the one in NetBSD (IIRC).  Check
BUGTRAQ archives, for example.

IMNSHO it is very much worth the effort to avoid running the LDA as
root -- perhaps even more so than the network listening daemon!
(but not the queue processing daemon of course)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>