Re: /var/mail question
On Mon, Jul 07, 2003 at 11:59:51AM -0400, quadrant wrote: I was temporarilly using pine to retrieve my email, and upon exiting the program, pine notified me that the /var/mail directory was vulnerable, and advised a chmod 1777 of such. The default is 775. What are the implications of this, and won't 1777 make the folder more vulnerable? My understanding was that if the SUID bit is turned on for either U, G or O, that security is more at risk. Please let me know what I should do... Thanks, Eric chmod 1777 turns on the sticky bit, as well as giving rwx permissions for all. This is the same as, for example, /tmp. The sticky bit tells the system to allow only the owner of a file to unlink that file. That is, although any user can create a file, only the user that created it may unlink it. With the default mode of 0775, any member of the group owner of the directory could delete files. However, provided you only have trusted users in that group, it shouldn't be a problem. I have never seen such warnings, so have never given it any thought. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp0.pgp Description: PGP signature
Re: /var/mail question
quadrant wrote: I was temporarilly using pine to retrieve my email, and upon exiting the program, pine notified me that the /var/mail directory was vulnerable, and advised a chmod 1777 of such. The default is 775. What are the implications of this, and won't 1777 make the folder more vulnerable? My understanding was that if the SUID bit is turned on for either U, G or O, that security is more at risk. Please let me know what I should do... Read the man page for chmod. The suid and sgid bits mean something different on directories than on files. When set, they force all files created in that directory to be owned by the owner of the directory. Again ... see the man page for more detail, as well as (I believe) a description of how this helps security. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: /var/mail question
quadrant wrote: I was temporarilly using pine to retrieve my email, and upon exiting the program, pine notified me that the /var/mail directory was vulnerable, and advised a chmod 1777 of such. The default is 775. What are the implications of this, and won't 1777 make the folder more vulnerable? My understanding was that if the SUID bit is turned on for either U, G or O, that security is more at risk. Please let me know what I should do... Permission 1777 involves the sticky bit, which is used for /tmp, not setuid or setgid: STICKY DIRECTORIES A directory whose `sticky bit' is set becomes an append-only directory, or, more accurately, a directory in which the deletion of files is restricted. A file in a sticky directory may only be removed or renamed by a user if the user has write permission for the directory and the user is the owner of the file, the owner of the directory, or the super-user. This feature is usefully applied to directories such as /tmp which must be publicly writable but should deny users the license to arbitrarily delete or rename each others' files. I think the stock BSD permissions of 775 imply that the LDA must be running as root in order to perform local delivery. The other type of mail configuration (used by SysV-style Unices) involves 770 permissions and having the LDA be setgid to mail. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]