Re: security(8) mailbox check question

2016-01-25 Thread Craig Skinner 
Hi all,

On 2016-01-23 Sat 22:31 PM |, Joerg Jung wrote:
> On Sat, Jan 23, 2016 at 08:31:09PM +0100, Ingo Schwarze wrote:
> 
> This was discussed several times before.

e.g: 
http://openbsd-archive.7691.n7.nabble.com/security-8-check-maildir-as-well-as-mailbox-permissions-td239848.html

-- 
Ray's Rule of Precision:
Measure with a micrometer.  Mark with chalk.  Cut with an axe.

Re: security(8) mailbox check question

2016-01-25 Thread Craig Skinner 
Hi Ted,

On 2016-01-23 Sat 17:27 PM |, Ted Unangst wrote:
> 
> I think the possibility to fill up /var makes it a poor choice.

For mail servers, /var/mail/ can be a seperate mount point.

/var/log/ is commonly a mount point on servers.

As is /var/www/ /var/spool/{smtpd,postfix} /var/[fav-SQL-db], etc.

-- 
Cheers.

Re: security(8) mailbox check question

2016-01-23 Thread Ingo Schwarze 
Hi,

the smtpd(8) daemon supports "deliver to maildir" out of the box,
and even though putting the user maildirs below /var/mail/ is not
the default, it's one of many possible and logical choices, and i
see nothing wrong with it.

Adam Wolk noticed on misc@ that currently security(8) doesn't
like that choice.  I consider the complaint gratuitious and the
code to prevent it simple enough that i'd like to commit it.

Any OKs?
  Ingo


Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.36
diff -u -p -r1.36 security
--- security21 Jul 2015 19:07:13 -  1.36
+++ security23 Jan 2016 19:09:21 -
@@ -449,7 +449,7 @@ sub check_dot_writeable {
}
 }
 
-# Mailboxes should be owned by the user and unreadable.
+# Mailboxes should be owned by the user, and readable by the user only.
 sub check_mailboxes {
my $dir = '/var/mail';
nag !(opendir my $dh, $dir), "opendir: $dir: $!" and return;
@@ -464,7 +464,9 @@ sub check_mailboxes {
my $gname = (getgrgid $fgid)[0] // $fgid;
nag $fname ne $name,
"user $name mailbox is owned by $fname";
-   nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
+   my $wantmode = S_IRUSR | S_IWUSR;
+   $wantmode |= S_IXUSER if -d "$dir/$name";
+   nag S_IMODE($mode) != $wantmode,
sprintf 'user %s mailbox is %s, group %s',
$name, strmode($mode), $gname;
}

Re: security(8) mailbox check question

2016-01-23 Thread Ted Unangst 
Ingo Schwarze wrote:
> the smtpd(8) daemon supports "deliver to maildir" out of the box,
> and even though putting the user maildirs below /var/mail/ is not
> the default, it's one of many possible and logical choices, and i
> see nothing wrong with it.

I think the possibility to fill up /var makes it a poor choice. Putting each
user's mail in their home directory is, imo, a more sensible choice. Now,
there are a dozen legacy reasons why we may not be able to do this by default,
but we should encourage anybody changing the defaults to avoid /var/mail.
Even traditional mail only uses /var as a queue, and then stores messages in
~/mbox.

In short, we can't simply drop /var/mail support, but if through inaction we
can discourage its use, then I vote for inaction.

Re: security(8) mailbox check question

2016-01-23 Thread Joerg Jung 
On Sat, Jan 23, 2016 at 08:31:09PM +0100, Ingo Schwarze wrote:
> Hi,
> 
> the smtpd(8) daemon supports "deliver to maildir" out of the box,
> and even though putting the user maildirs below /var/mail/ is not
> the default, it's one of many possible and logical choices, and i
> see nothing wrong with it.

This was discussed several times before.  The last one I remember
is [1]. 
 
> Adam Wolk noticed on misc@ that currently security(8) doesn't
> like that choice.  I consider the complaint gratuitious and the
> code to prevent it simple enough that i'd like to commit it.

Personally, I think it makes sense to stay restrictive with the check in
security and I moved away my maildirs from /var/mail years ago for this
reason.  Maybe it should be documented in hier(7) that only mbox is
intended...

[1] http://marc.info/?l=openbsd-misc=133460345221298=2

 
> Any OKs?
>   Ingo
> 
> 
> Index: security
> ===
> RCS file: /cvs/src/libexec/security/security,v
> retrieving revision 1.36
> diff -u -p -r1.36 security
> --- security  21 Jul 2015 19:07:13 -  1.36
> +++ security  23 Jan 2016 19:09:21 -
> @@ -449,7 +449,7 @@ sub check_dot_writeable {
>   }
>  }
>  
> -# Mailboxes should be owned by the user and unreadable.
> +# Mailboxes should be owned by the user, and readable by the user only.
>  sub check_mailboxes {
>   my $dir = '/var/mail';
>   nag !(opendir my $dh, $dir), "opendir: $dir: $!" and return;
> @@ -464,7 +464,9 @@ sub check_mailboxes {
>   my $gname = (getgrgid $fgid)[0] // $fgid;
>   nag $fname ne $name,
>   "user $name mailbox is owned by $fname";
> - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR),
> + my $wantmode = S_IRUSR | S_IWUSR;
> + $wantmode |= S_IXUSER if -d "$dir/$name";
> + nag S_IMODE($mode) != $wantmode,
>   sprintf 'user %s mailbox is %s, group %s',
>   $name, strmode($mode), $gname;
>   }
>