The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] "mailbox vulnerable" messages


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Wed, 5 Aug 1998 16:34:59 -0700 (MST)
From: "R. Grunloh's work mailing list acct." <rgwork@elwood.library.arizona.edu>
To: linux-security@redhat.com
Subject: [linux-security] "mailbox vulnerable" messages

Hi,

I'm running 2 RH5.0 mailservers here with patches from the errata through
around July 23, including imap-4.1.final-1.  Shortly afterinstalling the
latter, we got "mailbox vulnerable, can't create lockfile" messages only
from clients using an old version of PC-pine.

We can migrate those users, but then I noticed that fetchmail gives the
same error when run with the -v (verbose) flag.

We have quite a few users who have Netscape 4.1 (Windows) imap mail at
work, but also use pine from home. They aren't exactly power users and
often forget to close Netscape before leaving. I have no control over
this client setup.

My question is, under these circumstances, wouldn't allowing the lockfile
creation in /var/spool/mail be a wiser choice than risking inbox problems? 
Actually I think the best way would be to set the lockfiles to be created
in /tmp or in their home directory, does anyone know how to do that? Could
it be a compile option (in imap or which pkg?) 

I'm trying to be reasonably secure here, and do my homework, but haven't
seen much discussion on this issue.  Perhaps I have misconfigured
permissions?

[rgrunloh@elwood /var/spool]$ ls -al
total 9
drwxr-xr-x   9 root     root         1024 Mar 24 12:26 .
drwxr-xr-x  15 root     root         1024 Jun  9 09:52 ..
drwx------   3 daemon   daemon       1024 Mar 21 15:22 at
drwx------   2 root     root         1024 Jun 17  1997 cron
drwxrwxr-x   3 root     daemon       1024 May 11 15:35 lpd
drwxrwxr-x   2 root     mail         1024 Aug  5 16:26 mail
drwxr-xr-x   2 root     mail         1024 Aug  5 16:26 mqueue
...

[rgrunloh@elwood /var/spool/mail]$ ls -al
total 2386
drwxrwxr-x   2 root     mail         1024 Aug  5 16:26 .
drwxr-xr-x   9 root     root         1024 Mar 24 12:26 ..
-rw-rw----   1 dstarkey mail          891 May 20 11:53 dstarkey
-rw-rw----   1 icsuser  mail            0 Mar 24 16:35 icsuser
-rw-rw----   1 rgrunloh mail            0 Jun  6 07:12 rgrunloh
...

Thanks.

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру