On Sun, 03 Jul 2005, [EMAIL PROTECTED] wrote: > On Sat, Jul 02, 2005 at 01:01:51AM +0200, Oliver Fuchs wrote: > > > > Problem: > > using procmail as local mailer sets the wrong permissions in /var/mail. > > Question: > > So my issue is that using procmail as local mailer sets the wrong > > permissions. > > Is this now less important and known or is it a security > > risk? > > And is the only way to avoid setting this permissions to change them in > > /var/mail by hand? > > > > hi. i'm not sure about `wrong'
Yes, wrong is the wrong expression - I mean it is "wrong" because /etc/security is complaining about it > , but procmail does appear to create > mailboxes 660, with the group id of /var/mail (`wheel'). > /etc/security complains if a mailbox is not 600. i don't know if it > checks the group id or not, but normal is to use the user's default group, i > think. i don't know about security risk, but you can: > * alter the relevant file in /etc/mtree to not complain about perms > * alter perms in /var/mail/(mailbox) by hand > * alter procmail source it seems to be enough to alter config.h #define GROUPW_UMASK (INIT_UMASK&~S_IRWXG) /* == 007 */ > * alter sendmail config (the local mailer define, i mean) Yes, here another possibility would be to use default Mlocal, P=/usr/libexec/mail.local and invoke procmail via ~/.forward > * put up with it > * something else i haven't thought of I saw that rmuser also removes the user's incoming mail file. So maybe the adduser script could also create an empty one for the user with the right permissions. > it is a bit of a pain, i agree. i spent a morning looking at this, and > didn't come up with much. this issue came up as a netbsd pr (#18788) > a few years ago, and they eventually closed it as "3rd party software > issue, please complain to procmail maintainer". you could try that > to. > > http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=18788 > > if anyone else has a more elegant solution, i'd love to know it. there > are other issues with running non-base stuff like this (perms to use and > so on), so i guess the winning solution is to run what is in base, since > it all works nicely together. > > jmc So thanx for answering and helping. Oliver -- ... don't touch the bang bang fruit
