I haven't had any reason to worry about this other than my own ignorance so I appreciate the input. We use Fedora/Postfix/POP3 and the server is also the MTA - an all-in-one thing. If you guys say its cool then I won't get worked up over it.
Thanks R -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd A. Jacobs Sent: Sunday, February 22, 2004 11:55 PM To: Rick Shepherd Cc: Reno Linux Users Group Subject: Re: [RLUG] (no subject) On Fri, 20 Feb 2004, Rick Shepherd wrote: > Mailbox vulnerable - directory /var/spool/mail must have 1777 protection You don't say what application, but my guess is pine. Red Hat hacked pine so that it didn't require lockfile creation in the /var/spool/mail directory, which is sort of a lame thing for pine to do anyway. Unfortunately, Fedora doesn't include pine, so if you install it yourself, you'll get this error because without the sticky bit, the application can't create mbox lockfiles in /var/spool/mail. Whether or not this is actually a problem will depend a great deal on your environment, and how worried you are about corrupted mailboxes. 1777 is a reasonable set of permissions, but it *does* open up the mailspool directory to some potential race conditions and some rather limited DoS issues under certain circumstances. So, if you need it, set the sticky bit and don't lose too much sleep over it. But if you can avoid it by patching your application, or having the MDA deliver to mbox/maildir in each users' home directories, you'll be better off in the long run. -- Todd's "Customer Disservice Hall of Shame" currently contains: - Charter Communications: Mislead their customers about service levels, block normal Internet connectivity, and exhibit excessive downtime. - AT&T: Honoring the "checks" they send out to entice you to switch long-distance providers is apparently optional. - eFax: Receive (not send) 20 pages of *unsolicited* faxes, and lose your account. _______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://www.rlug.org/mailman/listinfo/rlug _______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://www.rlug.org/mailman/listinfo/rlug
