At 3:48 PM -0400 5/2/01, Scott McDermott wrote:
> I don't know why the LX manual says continually that shell users
> shouldn't be allowed access to server mode and the like...what they
> should really say is, "don't let shell users have access to programs
> that modify the mail spool and don't respect F_SETLK and/or dotlocks."
> If you have been sure to compile all your programs to cooperate with
> respec to fcntl()/flock() (which Qpopper does properly) then I don't see
> where the problem would arise.
Qpopper does not keep the spool locked for the duration of the
session. Qpopper only locks the spool at the beginning and end of
sessions. In non-server mode, this is fine, as Qpopper makes no
assumptions about the state of the spool between times. But in
server mode, you are asserting that the only modifications to the
spool are done by a final delivery agent, which only appends. If a
shell user edits the spool in any other way during a POP session,
and Qpopper is in server mode, you've got spool corruption.
