Date: Mon, 07 Jul 2003 12:13:01 -0400 From: Chuck Swiger <cswiger@mac.com> To: quadrant <quadrant@apex.homedns.org> Cc: freebsd-questions@freebsd.org Subject: Re: /var/mail question Message-ID: <3F099C0D.9040900@mac.com> In-Reply-To: <200307071159.51505.quadrant@apex.homedns.org> References: <200307071159.51505.quadrant@apex.homedns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
quadrant wrote:
> I was temporarilly using pine to retrieve my email, and upon exiting the
> program, pine notified me that the /var/mail directory was
> vulnerable, and advised a chmod 1777 of such. The default is 775.
> What are the implications of this, and won't 1777 make the folder more
> vulnerable? My understanding was that if the SUID bit is turned
> on for either U, G or O, that security is more at risk. Please
> let me know what I should do...
Permission 1777 involves the "sticky" bit, which is used for /tmp, not setuid or
setgid:
STICKY DIRECTORIES
A directory whose `sticky bit' is set becomes an append-only directory,
or, more accurately, a directory in which the deletion of files is
restricted. A file in a sticky directory may only be removed or renamed
by a user if the user has write permission for the directory and the user
is the owner of the file, the owner of the directory, or the super-user.
This feature is usefully applied to directories such as /tmp which must
be publicly writable but should deny users the license to arbitrarily
delete or rename each others' files.
I think the stock BSD permissions of 775 imply that the LDA must be running as
root in order to perform local delivery. The other type of mail configuration
(used by SysV-style Unices) involves 770 permissions and having the LDA be
setgid to "mail".
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F099C0D.9040900>