Re: "Correct" permissions on /var/mail?
From: Valentin Nechayev (netch@lucky.net)
Date: 06/26/01
- Next message: Valentin Nechayev: "Re: Letting scp through a firewall using ipfilter"
- Previous message: Valentin Nechayev: "Re: Re[2]: disable traceroute to my host"
- In reply to: Leonard Chung: ""Correct" permissions on /var/mail?"
- Next in thread: Sheldon Hearn: "Re: "Correct" permissions on /var/mail?"
- Reply: Sheldon Hearn: "Re: "Correct" permissions on /var/mail?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Jun 2001 14:28:53 +0300 From: Valentin Nechayev <netch@lucky.net> To: Leonard Chung <leonard@ssl.berkeley.edu>
Sun, Jun 24, 2001 at 14:11:54, leonard wrote about ""Correct" permissions on /var/mail?":
> I was having a debate with a colleague the other day on the correct mode
> for /var/mail. He claimed that 1777 is more secure than what I've always
> had (the FreeBSD default of root:mail 775).
1777 has the only advantage that it doesn't require sgid privileges
for MUAs. But such solution is not less harmful due to new /tmp
in /var/mail. Better variant is to fix MUA to use separate locking program
(such as mutt-dotlock) or even get rid of /var/mail as ugly legacy.
Keep all incoming mail in user's home and "your teeth will be white
anf fluffy".
> 1777 gives you the additional benefit of protecting you from compromises on
> the mail group, but requires that on every machine quotas be installed even
> for machines with just one or two users. Without quotas, a malicious user
> could fill up /var/mail creating a DoS for everybody receiving mail off
> that machine. 775 doesn't protect against compromises of the mail group,
> but has the added benefit that it protects against a user filling /var/mail
> inadvertently as they would have to purposely send lots of e-mail.
Requirement to have /var/mail as separate partition is too hard for
most applications.
/netch
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Valentin Nechayev: "Re: Letting scp through a firewall using ipfilter"
- Previous message: Valentin Nechayev: "Re: Re[2]: disable traceroute to my host"
- In reply to: Leonard Chung: ""Correct" permissions on /var/mail?"
- Next in thread: Sheldon Hearn: "Re: "Correct" permissions on /var/mail?"
- Reply: Sheldon Hearn: "Re: "Correct" permissions on /var/mail?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
