On Fri, 30 Mar 2001, Ethan Benson wrote:
> On Fri, Mar 30, 2001 at 07:36:23PM -0500, Richard A Nelson wrote: > > On Fri, 30 Mar 2001, Ethan Benson wrote: > > > > > /var/mail into the solaris style world writable /var/mail. except > > > this is dependent on your MTA, sendmail and exim are broken in that > > > they insist on creating mailspools mode 660 group=mail which means any > > > gid=mail exploit compromises every single user's mail spool. i prefer > > > postfix which creates mailspools mode 600 group=mail. > > > > As I'm sure you know, sendmail *never* touches *anything* in /var/mail - > > that is the MDA's job... procmail, mailagent, deliver, etc.. > > erm yes, just most/all sendmail setups ive seen seem to have 660 > mailspools, which has always made zero sense to me. (the delivery > agent should setuid() itself to the target user to do the delivery) > > > Ok, sendmail does include a (very little used) default MDA (mail.local), > > and the behaviour there is changeable... and I'll make *not* do 660 from > > now on. > > what does exim use? last time i installed a quick debian system and > forget to deselect exim in favor of postfix i noticed it created 660 > mailspools too. why is this ever done anyway? > Thanks for the useful info. I have added myself to the mail group and this may or may not have fixed the problem. In anycase I am able to read and delete the mail. Previously I could not delete mail. NOt clear whether being in the mail group is appropriate... > -- > Ethan Benson > http://www.alaska.net/~erbenson/ >
