LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-15-2002, 06:44 AM   #1
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
What if making /var/mail world-writeable?


It seems that I have to make /var/mail world-writeable in order that procmail can correctly deliver the mails of users.

Procmail is called via the users' .forward file, and presently only delivers a mail if the users mailbox is not empty. Otherwise it complains of a lock failure and does not create the user's mailbox file (thus the mail is lost).

The present permissions of /var/mail are:
drwxrwxr-x root mail /var/mail

What is your opinion about this? Is there a better workaround?

Last edited by J_Szucs; 08-15-2002 at 06:46 AM.
 
Old 08-15-2002, 04:54 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Maybe look here?
 
Old 08-15-2002, 06:53 PM   #3
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
That FAQ suggests to set the sticky bit on the word-writeable mail directory. (Although there are no procmailrcs in the home directories; does it mean that procmail gets rid of sgid mail if ANY program is called from /etc/procmailrc?)
I also put up this question at the procmail mailing list, where I was advised to check and set the setuid root permission of procmail. (I wonder if setuid root would work at all, since as procmail gets rid of the sgid mail permissions, it might more happily get rid of the root permissions as soon as the time comes).
Provided that the latter also works, which solution would you choose? (Well... I suppose you would choose none of the two. But say... if you
were threatened with death to choose one?)
I myself have to use such solutions because I do not have full control over the whole mail system; I must respect that sendmail (suid root) belongs to the competence of our so-called system administrator. (Two years were not enough for him to set up a working mail filter to protect 50 users sitting behind unpatched Outlook Expre$$es...)

Last edited by J_Szucs; 08-15-2002 at 06:57 PM.
 
Old 08-16-2002, 10:01 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
LOL. If I was threatened with death I most certainly wouldn't think of prcmail's sgid behaviour first.

AFAIK "the time comes" when a ~/.forward and/or ~/.procmailrc are availabe: if ~/.procmailrc or ~/.forward are available, and the permissions are 0600 for rc (and mailbox) and 704 for forward, then change uid and drop sgid to owner's uid and gid. Commands from /etc/procmailrc use /etc/procmailrc's stated shell (of the user delivering to) and with DROPPRIVS=YES privs will be dropped to that of the user. At least that's what Ive tested (delivering to users mboxes tho, not /var/(spool/)mail, and with procmail defined as the MTA's LDA).

I think sgid mail and 1777 /var/mail are good but since a 0755 procmail will be dropping privs to user I'm not sure why they would suggest needing setuid root. I'm against setuid root binaries unless there's no proven workable alternative with lower privs, but then again I'm sure I'm forgetting something crucial about dotlocks or flocks but I ain't no procmail guru, ok? Could you post their reply in full?

Btw, if you say you're losing mail I would first get rid of ~/.forwards, and define a global failure rule in /etc/procmailrc that would drop to a default mbox or back into the queue. Yes, you *can* have if-else rules with procmail.

Btw2, did you define LOGVERBOSE=ALL to get a grip on the cause of not locking?

HTH somehow.
 
Old 08-18-2002, 10:33 AM   #5
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
Strange, but suid root worked.
From a certain point of view it was better at the beginning:
Then things did not work, but I knew why.
Now that procmail runs as suid root things work but I do not know why...

P.S.
I cannot avoid the users' .forward files, since they are the only way I can use to call procmail. As I mentioned before, I am not allowed to edit sendmail.cf, where mail is defined as the only LDA (our system administrator preferred that).
I prefer the suid root solution because it is the same method that our system administrator choosed for sendmail; thus I cannot be accused of doing something worse (e.g. disclosing the privacy of the mailboxes of users).

Last edited by J_Szucs; 08-18-2002 at 10:35 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Individual user's mail file in /var/spool/mail Swakoo Linux - General 1 09-07-2005 07:33 AM
sendmail error Fetching mail could not lock /var/spool/mail/username sukhdev50 Linux - Networking 0 05-04-2005 04:41 AM
?how to make mail go to diff place than /var/spool/mail ctejas Linux - General 0 06-24-2004 01:58 AM
world writeable files will not stay world writeable antken Mandriva 1 03-02-2004 06:04 PM
making a vfat mount point writeable for users stevenhasty Linux - Newbie 27 03-31-2003 10:30 PM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration