On Sun, Aug 19, 2007 at 12:25:43PM +1000, Chris wrote:
> fetchmail was complaining that procmail cannot create /var/mail/me
> while fetching mail. The permission on /var/mail/ directory was set to
> -
>
> drwxr-xr-x 2 root wheel 512 Aug 19 12:16 /var/mail/
>
> I changed it to -
>
> drwxrwxr-x 2 root wheel 512 Aug 19 12:16 /var/mail/
>
> It's working fine now since user "me" is in wheel group.
>
> Do I need to make /var/mail world-writable to get mail for other
> users?
The issue is that /var/mail is a shared directory, but you don't want user A
being able to delete user B's mail (or vice versa).
I know of two ways that Unix systems tend to deal with this problem:
(1) Set the sticky bit on the /var/mail directory:
chmod 1777 /var/mail
Mode 777 allows any user to create or delete files within the directory;
setting the sticky bit forbids users from deleting files which they don't
own.
The problem is, if you don't already have a mail file, any user can create
/var/mail/yourname (which in turn prevents you from receiving any mail)
(2) Make /var/mail group-owned by the 'mail' group, set it mode 775, and
then make sure all mail delivery programs are setgid mail.
The problem is needing to security-audit a whole bunch of programs which run
setgid mail, and are therefore potential back-doors into reading other
people's mail (and worse).
Personally, I use Maildir and haven't looked back. Get your MTA to deliver
to ~/Maildir/ and the problem goes away. It solves a lot of problems to do
with locking too.
Regards,
Brian.
