RE: "Correct" permissions on /var/mail?

From: Jason DiCioccio (jdicioccio@epylon.com)
Date: 06/25/01 

From: Jason DiCioccio <jdicioccio@epylon.com>
To: 'Leonard Chung' <leonard@ssl.berkeley.edu>, security@FreeBSD.ORG
Date: Mon, 25 Jun 2001 09:58:51 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use the freebsd default, although someone could still fill up /var
if they wanted to.. (cat /dev/urandom >/var/mail/`whoami`)

But 1777 they could create extra files, no? I'd rather not have a
second /tmp..

Cheers,
- -JD-

- -----Original Message-----
From: Leonard Chung [mailto:leonard@ssl.berkeley.edu]
Sent: Sunday, June 24, 2001 2:12 PM
To: security@FreeBSD.ORG
Subject: "Correct" permissions on /var/mail?

I was having a debate with a colleague the other day on the correct
mode
for /var/mail. He claimed that 1777 is more secure than what I've
always
had (the FreeBSD default of root:mail 775).

1777 gives you the additional benefit of protecting you from
compromises on
the mail group, but requires that on every machine quotas be
installed even
for machines with just one or two users. Without quotas, a malicious
user
could fill up /var/mail creating a DoS for everybody receiving mail
off
that machine. 775 doesn't protect against compromises of the mail
group,
but has the added benefit that it protects against a user filling
/var/mail
inadvertently as they would have to purposely send lots of e-mail.

Which do most of you use? Is there a reason /var/mail is initially
set to
775 rather than 1777?

Thanks,

Leonard

- --
Leonard Chung - <leonard@ssl.berkeley.edu>
SETI@home - The Search for Extraterrestrial Intelligence @ home
http://www.setiathome.ssl.berkeley.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOzdupVCmU62pemyaEQK3RwCgzkfVW04EYczOaPU7bJrNb1RQM2wAn0tI
VBfsNr+Jg1j6n+S40M4QXRMA
=RbAH
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Security zone
    ... ZoneAlarm isn't available for FreeBSD, or any other flavor of UNIX. ... much better ways of protecting the system, ...
    (FreeBSD-Security)
  • Re: "Correct" permissions on /var/mail?
    ... > had (the FreeBSD default of root:mail 775). ... > 1777 gives you the additional benefit of protecting you from ... > the mail group, but requires that on every machine quotas be ...
    (FreeBSD-Security)
  • RE: [COVERT-2001-01] Multiple Vulnerabilities in BIND - FreeBSD Implications ?
    ... Multiple Vulnerabilities in BIND - FreeBSD ... To those that want to upgrade to 8.2.3-REL before the official FreeBSD ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • RE: "humorous" SA jokes
    ... :posting "funny" SA-s about the advantages of OpenBSD vs FreeBSD. ... :And I seriously doubt that this message was approved by the moderator. ... :Szeged University ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Lost Password
    ... FreeBSD list is probably considered "the wrong place to post this message". ... One of the WinNT ... ::> Has anyone out ther had any experience in retrieving passwords. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)