On 2013-12-16 Mon 12:11 PM |, Craig R. Skinner wrote: > Check the security of /var/mail/dirs similar to /var/mail/boxes: >
Several skilled sysadmins have stated they deliberately avoid using /var/mail for maildirs as security(8) generates warnings about these. People are placing maildirs in /var/maildir, /var/vmail, /mail, /var/spool/mail, and who knows what other embarrassingly heinous hierarchical heresies are being committed. It's simple to alter security to include maildirs as well as mailboxes. Either with the code I hacked up, or something sublimely superior. Compare: http://openbsd.7691.n7.nabble.com/security-8-and-maildir-td67036.html#a67039 Additionally, here's a possible corresponding diff for heir(7): Index: hier.7 =================================================================== RCS file: /cvs/src/share/man/man7/hier.7,v retrieving revision 1.109 diff -u -u -p -r1.109 hier.7 --- hier.7 14 Aug 2013 08:39:29 -0000 1.109 +++ hier.7 21 Dec 2013 15:21:55 -0000 @@ -617,7 +617,7 @@ Log files for .El .Pp .It mail/ -User mailbox files. +User mailbox files and/or maildirs. .It named/ Chroot directory for .Xr named 8 . > Index: security > =================================================================== > RCS file: /cvs/src/libexec/security/security,v > retrieving revision 1.23 > diff -u -u -p -r1.23 security > --- security 21 Mar 2013 09:37:37 -0000 1.23 > +++ security 16 Dec 2013 12:05:52 -0000 > @@ -458,9 +458,16 @@ sub check_mailboxes { > my $gname = (getgrgid $fgid)[0] // $fgid; > nag $fname ne $name, > "user $name mailbox is owned by $fname"; > - nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), > - sprintf 'user %s mailbox is %s, group %s', > - $name, strmode($mode), $gname; > + if (S_ISDIR($mode)) { > + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | S_IXUSR), > + sprintf 'user %s maildir is %s, group %s', > + $name, strmode($mode), $gname; > + } > + else { > + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR), > + sprintf 'user %s mailbox is %s, group %s', > + $name, strmode($mode), $gname; > + } > } > closedir $dh; > } >
