Date: Fri, 14 Aug 1998 05:00:14 -0600 (MDT)
From: "J. Paul Reed" <preed@verinet.com>
To: linux-security@redhat.com
Subject: [linux-security] Pine 4.02 and directory perms
Hey linux-security-ers:
I just compiled/installed Pine 4.02 for my RH 5.0 machine today (didn't
see an RPM last time I checked ftp.redhat.com:/pub/contrib), and after I
got it installed, it kept giving me errors about not being able to create
a lockfile when dinking with my mailspool in /var/spool/mail.
After doing some digging on DejaNews and the Pine website, I find a
document who says the solution is to 'chmod 1777 /var/spool/mail' (you can
read the doc at http://www.washington.edu/pine/QandA/sysadmins.html).
Now, here's the question: isn't this inherently bad? Doesn't this allow
all sorts of exploits and such, as I can just go into /var/spool/mail and
start dumping things all over the place? Doesn't this open us up to a
bunch of problems /tmp shares as well?
The other suggestion they give is making pine sgid, and owned by a special
group (i.e. probably mail), but they find this solution insecure; I find
their solution insecure.
So, am I paranoid, or is the implementation wrong?
[mod: Please reply in personal mail to Paul. Paul, please summarize
the replies in about a week..... -- REW]
Later,
Paul
-------------------------------------------------------------------------
J. Paul Reed Among other things, just another perl hacker
#!/usr/bin/perl unless ($you =~ /spammer/) { print "Email me!\n"; }
@MyEmailAddresses = ("preed@verinet.com","paul@619pro.com");
$MyWebPage = "http://www.verinet.com/~preed";
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
