hi Matthew,
Thanks a lot for yr advise...
I not really get u, like how to make /var/spool/mail 0775....
it is like. chmod 0775 /var/spool/mail ? and how to make it owned by
root:mail?
or can you please provide more clearer picture of the 1st method?
or if I leave it for a while, will it harm my system?
Please advise...
thanks.................
rdgs,
gary
----- Original Message -----
From: Matthew Melvin <[EMAIL PROTECTED]>
To: gary <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 11, 2001 6:40 PM
Subject: Re: 1777 protection for /var/spool/mail???
> On Thu, 11 Jan 2001, gary wrote:
>
> > I'm using RedHat6.2 with sendmail-8.9.3-20
> >
> > I always get the following message in /var/log/maillog
> >
> > Jan 11 18:18:08 thongsiek ipop3d[24806]: Mailbox vulnerable - directory
> > /var/spo ol/mail must have 1777 protection
> >
> > what does that mean? it is critical? Any idea? please advise
>
> Your pop server want's to put it's lock file in /var/spool/mail. There
are
> 2 common way to do this. Make /var/spool/mail 0775 and owned by
root:mail.
> Then make your pop daemon (and other mail apps) also owned mail root:mail
> and mode 6755 (sguid). This gives your users, by way of the daemon, write
> access to the /var/spool/mail dir so they can write their lock files. The
> down fall here is that it means binaries that run with elevated privleges.
>
> The other alternative is to make your spool directory 1777 and do not give
> your mail programs any elevated privleges - they run as the user who's
> trying to read their mail. 1777 means you can create and delete files in
> the directory but only files that you already own. The down fall here is
> users can DoS other users. One user can't mess with the mail or the lock
> file of another user (files are still created 0600) but they could
> pre-emptivly create a lock file for another user. So the other's users
mail
> would aways appear locked, and becuase they did not own their 'own' lock
> file they'd never be able to unlock it.
>
> A trade off.
>
> The error message you see is most likely from your pop daemon assuming one
> scheme is going to be in use when possibly it is acutally the other. I
> beleive RedHat favours the first solution where mail programs are run sgid
> to the mail group. In this case the 'error' message is essentially
> harmless - just annoying. :)
>
> M.
>
> P.S. Actually there is a 3rd alternative - put the users mail in their
home
> directory like qmail and some other MTA/MDA's do but that's not really
> relevent here. :)
>
> --
> WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
> Level 1, 96 Lytton Road. Network Operations - Systems Engineer
> PO Box 4169, East Brisbane. phone: +61 7 3249 2583
> Queensland, Australia. pgp key id: 0x900E515F
>
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
