On Mon, 2004-06-28 at 14:12, Olga wrote: > Well, you can either take Red Hat point of view or the > University of Washington. You can leave the permissions the > way they are, but you will have those messages in the log. > If they don't bother you that's ok, but they bugged me. > On one test box I also tried installing an older version of > imap over the top and that solved the problem for me as > well. I didn't have to change permission and there were no > messages. > Probably the one giving the messages came from some source other than RedHat, and did not have their patches applied. The age of the package would not really be a factor, since the ones from redhat were patched and the ones from other sources were not. > > Quoting Hongwei Li <hongwei@xxxxxxxxxxxxxxxxxx>: > > > > The bug has already been reported: > > > > > > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479 > > > > > > > Thanks! This is very useful! What do you think about > > the comment in the > > report page, especailly the 3rd paragraph: > > > > Additional Comment #3 From Mike A. Harris on 2004-02-27 > > 04:58 ------- > > > > This warning message from UW imap is 100% bogus. Red Hat > > does not > > use the same locking mechanism that is recommended by the > > UW imap > > people, because it is inherently more insecure. > > > > All software on the system which accesses the mail spool > > files > > must agree upon a common locking mechanism, and must be > > patched > > if necessary to all use one single mechanism. Red Hat > > has been > > using the same mechanism in all OS releases for many > > years now, > > and we have patched UW imap, and UW pine to use our > > system-wide > > mechanism for some time now. > > > > UW suggests that the mail spool directory should be mode > > 1777, > > which is incredibly insane, as that makes the mail spool > > directory > > *world writeable*, and thus subject to local DOS attacks. > > That > > is totally unacceptable in a modern Linux/UNIX OS. > > > > The proper fix for this bug, is to patch the UW imap > > sources to > > remove this bogus warning/error message, because we do > > not use > > the insecure method that UW recommends for mail locking. > > Doing > > otherwise, would require patching every single MTA, MDA, > > and MUA > > in the entire distribution to do it the ensecure > > world-writeable > > way, and we decided a very long time ago that that was > > not acceptable. > > > > > > > > -- > > fedora-list mailing list > > fedora-list@xxxxxxxxxx > > To unsubscribe: > > http://www.redhat.com/mailman/listinfo/fedora-list > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. >
