On Tue, May 15, 2001 at 02:15:45PM +0100, Andrew Hilborne (andrew.hilborneat_private) wrote: > > > > (At least not if you /var/mail directory has the standard 1777 permissions) > > > > By forcing a file permission of 600 on mailboxes, group mail should not > > gain you anything. > > Just how do you force 0600 on mailboxes which don't exist (many MUAs remove > empty mailboxes?) If that's true, then even *without* this particular bug in Solaris, there's an icky denial of service attack waiting to happen. Sticky mailspools are awfully common these days, and all that stops Bob from doing touch /var/spool/mail/alice and causing the MTA to refuse to deliver is that Alice's mailbox should never *not* be there in the first place. Which MUAs behave in the way you describe? > Since you cannot easily do this, at the very least a malicious user should be > able to steal other users' mail. I think. If they can, then *that's* a flaw in the MTA, which should never deliver into something that isn't owned by the recipient. -Rich -- ------------------------------ Rich Lafferty --------------------------- Sysadmin/Programmer, Instructional and Information Technology Services Concordia University, Montreal, QC (514) 848-7625 ------------------------- richat_private ----------------------
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 06:52:33 PDT