Bill Gianopoulos <wag @
swl .
msd .
ray .
com> wrote ..
>
>Doug Hughes writes:
>> One person commented that he had it read/write by group mail so that elm
>> could access it. I've never used elm before, but this seems to be flawed.
>> Why would a mail reading program need to be setgid to read a person's
>> mailbox?
>
>Mail readers need to be setgid to the group that owns the spool directory
>so that they can create lock files.
In my dotage I'm becoming alergic to people who make sweeping assertions,
along with anti-histamines ;-)
Yes, there are systems which don't have "flock()" calls and so have to
create lock files in a certain directory. Some of those have brain damaged
Mail Transfer Agents which create the lock files in the mail directory rather
than a temporary directly expressly intended for this purpose. Of course that
also requires that the systems support the sticky bit on those directories.
This is all so that the Mail User Agent (e.g. Elm) can run with _no_ setGid
or setUid
at all. The user can, of course, read and write his own mailbox. The MTA
_only_
needs to be setGid="mail" to write to the mail boxes.
In an ideal world, both the MTA and the MUA use a file locking protocol as a
mutual
exclusion mechanism, so the mailboxes are owned by the target user and
group "mail",
and the MTA delivery mechanism (which could be separate from the listener on
port 25)
only needs to be setGid "mail". In fact you can make a case that the mail
spool directory
is not Gid="mail" at all. This only requires that the sysadmin creates the
mail boxes for the
accounts.
Principle of least priviledge. Because you _CAN_ design it work this way
you should, unless your system doesn't support sticky directories, file locking
or something. But then I recall V6 and early V7 didn't support setGid.
(sorry, no
sources to hand so can't assert it absolutely.) I also claim some diversity
if the
directories are not gid="mail", so the MTA can't create junk there, as in -
as I
was once the victim of - cating a large disk through port 25 to a non
existant user.
Does separate listener, mailbox MTA, mail router and network MTA sound like
SVR4 and {smtpsched, tosmtp, fromsmtp, smtpqer, smtpd, rmail} ? Perhaps
someone familiar with the innards of this will shed some enlightenment.
As the saying goes "Your milage may vary".
So, lets try again,
>Mail readers need to be setgid to the group that owns the spool directory
>so that they can create lock files.
Elm is general enough that it will, when you run the configuration, check to
see if
you have file locking and ask you what your MTA uses. It can deal with a
wide number
of situations, including ones where there is no OS support for file locking,
and so has
to create a MUITEX lock file in the mail directory. In this case, Elm has
to be installed
with permissions to create the lock file there.
I still feel that is a bit of a generalization, but I don't want to have to
include the Elm
installation guide and chunks of Larry Wall's code.
/anton
----------------------------------------------------------------------------
------------------------------------------------------------------------------
Anton J Aylward | Security is not something that comes in a self-contained
The Strahn and Strachan Group Inc | box. It is an atribute of how you do
business, and as
Information Security Consultants | such needs to be managed carefully.
Voice: (416) 494-8661 Fax: (416) 494-8803 | - Karen
Goertzel, Wang Federal Inc.
Follow-Ups:
|
|
