Date: Mon, 10 Jun 1996 01:20:29 +0200 (MET DST) From: "Mikael Karpberg" <karpen@sea.campus.luth.se> To: security@FreeBSD.org Subject: Re: FreeBSD's /var/mail permissions Message-ID: <199606092320.BAA08721@sea.campus.luth.se> In-Reply-To: <199606081504.IAA05536@precipice.shockwave.com> from "Paul Traina" at Jun 8, 96 08:04:43 am
next in thread | previous in thread | raw e-mail | index | archive | help
> But bad guy can't, because /var/mail is 755 > > > > I'm confused, why do you say adduser must create new user mailbox? > > > Mail.local is already suid root and adduser should deliver a preformatted > > > mail message with mail.local. > > > > Why should adduser send any mail to anybody? Rather silly if you ask me. > > Because bad guy can pre-create upcoming user mailbox with 666 permissions. No, he can not, correct. Unless you fool some program to. However, I think it seems like a good idea for adduser to touch, chown and chmod the users mailbox when the user is created, ANYWAY. Then you're on the safe side, so you are sure it's correct. If someone feel like changing adduser to do so, it would be great. And while whomever is doing that, please fix so that the users homedirectory is chowned to the user even if you select to not copy the defaults files. The mail to the user is not silly. It can be a welcome message to the user, with instructions and information, for example. And it's up to the admin to choose if he wants to send the mail or not anyway. /Mikael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606092320.BAA08721>