[14716] in bugtraq
Re: pop3
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Fri Apr 28 18:22:58 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0004271451010.17882-100000@freefall.freebsd.org>
Date: Thu, 27 Apr 2000 14:52:57 -0700
Reply-To: Kris Kennaway <kris@FREEBSD.ORG>
From: Kris Kennaway <kris@FREEBSD.ORG>
X-To: spoon spoon <sp00n@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <8782.956247808@www5.gmx.net>
On Thu, 20 Apr 2000, spoon spoon wrote:
> >I noticed the following behavior in the pop3 server as shipped with
> >Redhat 6.1 (still don't see
>
> Qualcomms POP servers have this problem as well, on linux, solaris, etc.
> Except the lock file gets stored where ever your users mail is stored.
> /var/mail(on a sun) or where ever. I guess a nice solution would be to have a
> subdirectory with mode 700 permissions under /var/mail/locks or something like
> that where only the popper can write to. Or just ignore the lock if the owner
> of the lock file is diffrent thant the userid of the person popping their
> mail.
Just a note that FreeBSD doesnt have this problem: /var/mail is only
group-writable to the mail group, and popauth is setuid to a "pop" user
which is in the group and can create the lock/temporary file.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
