On Mon, 16 Apr 2012 12:45:12 +0100, Zi Loff wrote: >> It is hard to guess what you need from the scarce information you >provide. I'm sorry... On hindsight, that was _very_ little information. >I'm running 5.0, with postfix as an MTA, delivering mail for two virtual >domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. > >Can you show the output of > # ls -al /var/mail $ ls -l /var/mail total >2148 -rw------- 1 root wheel 1076477 Jan 14 16:13 root drwx------ 4 vmail >vmail 512 Dec 5 00:33 vmail -rw------- 1 zeloff users 0 Jan 10 2011 >zeloff Inside /var/mail/vmail is a folder of each of the virtual domains, >and inside that one for every user, etc. Every thing from here on down >has either 700 (folders) or 600 (files) permissions. > on the machine in >question, and the exact messages you see in your > daily security emails? >Running security(8): Checking mailbox ownership. user vmail mailbox is >drwx------, group vmail If I chmod 600 /var/mail/vmail, security(8) runs >clean, so its the executable bit that's causing the trouble, but >unsetting it is not an option for the obvious reasons. Relocating the >whole thing is most probably the best idea, but is there anything wrong >with this patch I came up with? --- /usr/libexec/security Mon Apr 16 >10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@ >my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, "user >$name mailbox is owned by $fname"; - nag S_IMODE($mode) != (S_IRUSR | >S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | + >(S_ISDIR(S_IFMT($mode)) && S_IXUSR) ), sprintf 'user %s mailbox is %s, >group %s', $name, strmode($mode), $gname; } I have no proper perl skills >whatsoever, but I tested it on a few files with different permissions and >it appears to work properly... So, what's the verdict? Should maildirs be >kept out of /var/mail altogether, or is patching security(8) a viable >alternative? Many thanks Zi (with an acute-accented 'e', damn >encodings...) >
Formatting properly doesn't work for you? That made my eyes bleed. *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
