Re: Problem with Fedora1 and ipop3d

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 22, 2004 at 03:09:23PM -0700, Tim Alberts wrote:

> I've learned that if I set the /var/spool/mail folder permission to
> 777, I no longer get the following error.
...
> Mailbox Vulnerable - Directory /var/spool/mail must have 1777
> protection
...
> It seems odd that something requires worldwriteable access to the 
> /var/spool/mail folder.

Compare and contrast 777 and 1777.

The permissions 1777 means that each individual mail folder can be
owned by the individual and that trusted applications are not required
to access mail box content.

Secure trusted applications that are user identity agile are hard to write.
It is simpler to write a tool that lets the operating system's native
permission and security policy protect things.

For directories the extra bit requires the OS to enforce a policy
that only the owner of a dir or file in a 1777 dir can change it.
>From the chmod man page:

  "STICKY DIRECTORIES
       "When  the sticky bit is set on a directory, files in that directory may
       be unlinked or renamed only by root or their owner.  Without the sticky
       bit,  anyone able to write to the directory can delete or rename files.
       The sticky bit is commonly found on directories, such as /tmp, that are
       world-writable."

See also "info chmod"


-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux