{"id":4,"date":"2005-06-09T21:35:32","date_gmt":"2005-03-21T12:27:54","guid":{"rendered":""},"modified":"2005-06-09T21:35:32","modified_gmt":"2005-06-09T21:35:32","slug":"1777_is_not_protection","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ferdy\/2005\/06\/09\/1777_is_not_protection\/","title":{"rendered":"1777 is not &#8216;protection&#8217;"},"content":{"rendered":"<p>The last few days we&#8217;ve been having a bit of discussion in #-netmail about uw apps. They display a *really* bogus message if the mail spool directory (\/var\/spool\/mail) is not protected with 1777 (*sigh*):<\/p>\n<p><code>Mailbox vulnerable - directory \/var\/spool\/mail must have 1777 protection<\/code><\/p>\n<p>Of course mailbase creates \/var\/spool\/mail and sets 0775 on it. Thats a real protection since it prevents someone from doing:<\/p>\n<p><code>for i in \/var\/spool\/mail\/* ; do touch ${i}.lock; done<\/code><\/p>\n<p>and mess the mail system.<\/p>\n<p>Quoting from the UW IMAP FAQ:<\/p>\n<blockquote><p>Directory protection 1777 is secure enough on most well-managed systems. If you can&#8217;t trust your users with a 1777 mail spool (petty harassment is about the limit of the abuse exposure), then you have much worse problems then that.<\/p><\/blockquote>\n<p>It sounds ridiculous to me. I think we will finally adopt the workaround in https:\/\/bugzilla.redhat.com\/beta\/show_bug.cgi?id=103479#c8 or probably patch the sources to remove that annoying message.<\/p>\n<p>I wonder how 1777 on the mail spool directory should be used for security reasons (*sigh*) Maybe someone will explain it to me&#8230;<\/p>\n<p>Any ideas on how to solve this ?<\/p>\n<p>Cheers,<br \/>\nFerdy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The last few days we&#8217;ve been having a bit of discussion in #-netmail about uw apps. They display a *really* bogus message if the mail spool directory (\/var\/spool\/mail) is not protected with 1777 (*sigh*): Mailbox vulnerable &#8211; directory \/var\/spool\/mail must have 1777 protection Of course mailbase creates \/var\/spool\/mail and sets 0775 on it. Thats a &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ferdy\/2005\/06\/09\/1777_is_not_protection\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">1777 is not &#8216;protection&#8217;<\/span><\/a><\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts\/4"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/comments?post=4"}],"version-history":[{"count":0,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/posts\/4\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/media?parent=4"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/categories?post=4"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ferdy\/wp-json\/wp\/v2\/tags?post=4"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}