Re: security(8) mailbox check question
Hi all, On 2016-01-23 Sat 22:31 PM |, Joerg Jung wrote: > On Sat, Jan 23, 2016 at 08:31:09PM +0100, Ingo Schwarze wrote: > > This was discussed several times before. e.g: http://openbsd-archive.7691.n7.nabble.com/security-8-check-maildir-as-well-as-mailbox-permissions-td239848.html -- Ray's Rule of Precision: Measure with a micrometer. Mark with chalk. Cut with an axe.
Re: security(8) mailbox check question
Hi Ted, On 2016-01-23 Sat 17:27 PM |, Ted Unangst wrote: > > I think the possibility to fill up /var makes it a poor choice. For mail servers, /var/mail/ can be a seperate mount point. /var/log/ is commonly a mount point on servers. As is /var/www/ /var/spool/{smtpd,postfix} /var/[fav-SQL-db], etc. -- Cheers.
Re: security(8) mailbox check question
Hi, the smtpd(8) daemon supports "deliver to maildir" out of the box, and even though putting the user maildirs below /var/mail/ is not the default, it's one of many possible and logical choices, and i see nothing wrong with it. Adam Wolk noticed on misc@ that currently security(8) doesn't like that choice. I consider the complaint gratuitious and the code to prevent it simple enough that i'd like to commit it. Any OKs? Ingo Index: security === RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.36 diff -u -p -r1.36 security --- security21 Jul 2015 19:07:13 - 1.36 +++ security23 Jan 2016 19:09:21 - @@ -449,7 +449,7 @@ sub check_dot_writeable { } } -# Mailboxes should be owned by the user and unreadable. +# Mailboxes should be owned by the user, and readable by the user only. sub check_mailboxes { my $dir = '/var/mail'; nag !(opendir my $dh, $dir), "opendir: $dir: $!" and return; @@ -464,7 +464,9 @@ sub check_mailboxes { my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, "user $name mailbox is owned by $fname"; - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), + my $wantmode = S_IRUSR | S_IWUSR; + $wantmode |= S_IXUSER if -d "$dir/$name"; + nag S_IMODE($mode) != $wantmode, sprintf 'user %s mailbox is %s, group %s', $name, strmode($mode), $gname; }
Re: security(8) mailbox check question
Ingo Schwarze wrote: > the smtpd(8) daemon supports "deliver to maildir" out of the box, > and even though putting the user maildirs below /var/mail/ is not > the default, it's one of many possible and logical choices, and i > see nothing wrong with it. I think the possibility to fill up /var makes it a poor choice. Putting each user's mail in their home directory is, imo, a more sensible choice. Now, there are a dozen legacy reasons why we may not be able to do this by default, but we should encourage anybody changing the defaults to avoid /var/mail. Even traditional mail only uses /var as a queue, and then stores messages in ~/mbox. In short, we can't simply drop /var/mail support, but if through inaction we can discourage its use, then I vote for inaction.
Re: security(8) mailbox check question
On Sat, Jan 23, 2016 at 08:31:09PM +0100, Ingo Schwarze wrote: > Hi, > > the smtpd(8) daemon supports "deliver to maildir" out of the box, > and even though putting the user maildirs below /var/mail/ is not > the default, it's one of many possible and logical choices, and i > see nothing wrong with it. This was discussed several times before. The last one I remember is [1]. > Adam Wolk noticed on misc@ that currently security(8) doesn't > like that choice. I consider the complaint gratuitious and the > code to prevent it simple enough that i'd like to commit it. Personally, I think it makes sense to stay restrictive with the check in security and I moved away my maildirs from /var/mail years ago for this reason. Maybe it should be documented in hier(7) that only mbox is intended... [1] http://marc.info/?l=openbsd-misc=133460345221298=2 > Any OKs? > Ingo > > > Index: security > === > RCS file: /cvs/src/libexec/security/security,v > retrieving revision 1.36 > diff -u -p -r1.36 security > --- security 21 Jul 2015 19:07:13 - 1.36 > +++ security 23 Jan 2016 19:09:21 - > @@ -449,7 +449,7 @@ sub check_dot_writeable { > } > } > > -# Mailboxes should be owned by the user and unreadable. > +# Mailboxes should be owned by the user, and readable by the user only. > sub check_mailboxes { > my $dir = '/var/mail'; > nag !(opendir my $dh, $dir), "opendir: $dir: $!" and return; > @@ -464,7 +464,9 @@ sub check_mailboxes { > my $gname = (getgrgid $fgid)[0] // $fgid; > nag $fname ne $name, > "user $name mailbox is owned by $fname"; > - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), > + my $wantmode = S_IRUSR | S_IWUSR; > + $wantmode |= S_IXUSER if -d "$dir/$name"; > + nag S_IMODE($mode) != $wantmode, > sprintf 'user %s mailbox is %s, group %s', > $name, strmode($mode), $gname; > } >