I'm running imap-2004.RC6 on MacOS X 10.3 (a big endian BSD-ish system). I see that RC7 is available but I'd like to ask about an issue I'm seeing before evaluating that upgrade this evening.
The issue is an odd message in my system log running my IMAP client. (I see nothing of note in the server's system log.) This began following some recent installation and maintenance of other software on the server that tightened its file system permissions a bit. The message is:
2004-03-08 07:29:12.094 Mail[435] Unhandled response to command CLOSE: * NO Mailbox vulnerable - directory /var/mail must have 1777 protection
/var/mail had these permissions at the time: drwxrwxr-t 7 root mail 238 8 Mar 07:25 mail
I changed them to: drwxrwxrwt 7 root mail 238 8 Mar 07:25 mail
and that did silence the complaint, but in what way is having _more_ restrictive permissions a vulnerability? I understand that more restrictive permissions could in general prevent a server process from working, but that's not what the command response said.
And (in this specific case) is there some reason why UW imapd (and presumably ipop3d) would actually need world-write on /var/mail? My understanding is that the server process runs as the authenticated user and should thus have rw access to that user's mbox file in this directory. Those files already exist for each mail account on the system so write access to the directory shouldn't be needed, right?
I'm probably just being clueless but I'd like to understand the actual issue before I permanently relax the permissions on /var/mail/.
Thanks! -Michael Cashwell
--
------------------------------------------------------------------
For information about this mailing list, and its archives, see: http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------
