The last few days we’ve been having a bit of discussion in #-netmail about uw apps. They display a *really* bogus message if the mail spool directory (/var/spool/mail) is not protected with 1777 (*sigh*):
Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
Of course mailbase creates /var/spool/mail and sets 0775 on it. Thats a real protection since it prevents someone from doing:
for i in /var/spool/mail/* ; do touch ${i}.lock; done
and mess the mail system.
Quoting from the UW IMAP FAQ:
Directory protection 1777 is secure enough on most well-managed systems. If you can’t trust your users with a 1777 mail spool (petty harassment is about the limit of the abuse exposure), then you have much worse problems then that.
It sounds ridiculous to me. I think we will finally adopt the workaround in https://bugzilla.redhat.com/beta/show_bug.cgi?id=103479#c8 or probably patch the sources to remove that annoying message.
I wonder how 1777 on the mail spool directory should be used for security reasons (*sigh*) Maybe someone will explain it to me…
Any ideas on how to solve this ?
Cheers,
Ferdy