[Alpine-info] Permissions of user mailboxes in /var/mail

Mark Crispin MRC at Washington.EDU
Sat Mar 29 10:58:50 PDT 2008

Previous message: [Alpine-info] Permissions of user mailboxes in /var/mail
Next message: [Alpine-info] [Alpine-announce] Alpine 1.10 is now available
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 29 Mar 2008, James Pittman wrote:

>> "If I understand your question correctly, the answer is yes. It is OK for

>> mailbox files in /var/mail to be protected 0600 without any specific group

>> setting. In fact, this is the normal and expected protection for mailbox

>> files for the UW c-client library.

>

>> "Nothing in any version of Pine, Alpine, UW imapd, ipop3d, or any other UW

>> c-client based application has any dependency upon a mailbox file being

>> accessible by group mail.

>

> This being the case, is there any way to stop Alpine whinging about the fact

> that my INBOX doesn't have 1777 protection every time I open it?

You have two choices:
. set the mail spool protection to 1777 (there is NO reason AT ALL not
to do this on a single user system, and only bad reasons not to do this
on a multi-user system)
or
. install the mlock tool which is included as part of the UW IMAP
distribution. mlock runs setgid mail, and thus does what c-client does
not do.

The reason for that "whinging" is that there is a serious problem. The
problem is that NOTHING that protects your mailbox from being corrupted if
a delivery attempt is made while Alpine/Pine/imapd/ipop3d/etc. is updating
the mailbox.

The message is obnoxious for a reason; it is to induce you to fix the
problem, rather than wait until your mailbox gets corrupted.

Put another way: you MUST arrange matters so that Alpine can create the
lock files that it needs to create.

The best solution is to set the spool directory protection to 1777. This
whole "group mail" stuff is hokey, doesn't really buy you any true
security, and opens security weaknesses of its own. But if you insist
upon using group mail, then you MUST install mlock since Alpine will not
do so itself.

Note as well that ALL of the above applies to the spool directory.
NOTHING should EVER need group mail access to the mailbox files
themselves; that is a security bug that you can drive a truck through.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Previous message: [Alpine-info] Permissions of user mailboxes in /var/mail
Next message: [Alpine-info] [Alpine-announce] Alpine 1.10 is now available
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list