[tpop3d-discuss] tpop3d, sendmail and owner of mailbox

Wed, 14 Nov 2001 16:47:40 +0000

On Wed, Nov 14, 2001 at 04:54:55AM -0800, Paul Makepeace wrote:
> On Wed, Nov 14, 2001 at 12:43:39PM +0000, Chris Lightfoot wrote:
> > Ah, what would be the fun of having a mailing list without
> > the occasional flame-war....
> > 
> > The counterarguments are:
> > 
> >     - group mail g+w means that all mail clients must be
> >       setgid mail in order to do locking properly, and
> >       therefore introduce an additional security exposure;
> 
> Hmm, well exim is a monolithic setuid root MTA.

... which has a good security history, certainly better
than many MUAs. MUAs are typically more complex anyway
(they have to deal with MIME, character sets and all sorts
of other badness). I wouldn't want to trust any part of
the security of a machine to PINE, say. And there's no
reason at all that an MUA should represent a security
boundary within the system in the sense of being setgid,
anyway.

> >     - if somebody is sufficiently silly to try to fill up
> >       /var/spool/mail, it will be fairly obvious who is
> >       responsible;
> 
> Depending on the architecture of the MTA being able to create symlinks
> might be a problem...

Possibly. But let's assume that we're not using Postfix.

> >     - suitably-configured user disk quotas make this all
> >       kind of irrelevant anyway.
> 
> Disk quotas are a dog on linux in big settings, so I've heard.

That's not a big surprise.

IMO the real problem is lock files. Setgid MUAs and 1777
/var/spool/mail are just (equally) ugly workarounds. The
real solution is to use a real sort of lock.

> Flamewars, security, unix & Bernstein:
> http://cr.yp.to/maildisasters/postfix.html
> http://packetstorm.decepticons.org/9901-exploits/qmail-DoS.txt

Yes....

-- 
 Early to rise and early to bed,
 makes a man healthy, wealthy and dead (Thurber)