On Thu, Apr 22, 2004 at 03:09:23PM -0700, Tim Alberts wrote:
> I've learned that if I set the /var/spool/mail folder permission to
> 777, I no longer get the following error.
...
> Mailbox Vulnerable - Directory /var/spool/mail must have 1777
> protection
...
> It seems odd that something requires worldwriteable access to the
> /var/spool/mail folder.
Compare and contrast 777 and 1777.
The permissions 1777 means that each individual mail folder can be
owned by the individual and that trusted applications are not required
to access mail box content.
Secure trusted applications that are user identity agile are hard to write.
It is simpler to write a tool that lets the operating system's native
permission and security policy protect things.
For directories the extra bit requires the OS to enforce a policy
that only the owner of a dir or file in a 1777 dir can change it.
>From the chmod man page:
"STICKY DIRECTORIES
"When the sticky bit is set on a directory, files in that directory may
be unlinked or renamed only by root or their owner. Without the sticky
bit, anyone able to write to the directory can delete or rename files.
The sticky bit is commonly found on directories, such as /tmp, that are
world-writable."
See also "info chmod"
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
