[8447] in bugtraq
Re: Possible mail spool problem
daemon@ATHENA.MIT.EDU (CyberPsychotic)
Fri Nov 6 19:12:59 1998
Date: Fri, 6 Nov 1998 10:02:10 +0500
Reply-To: fygrave@tigerteam.net
From: CyberPsychotic <mlists@GIZMO.KYRNET.KG>
X-To: signal <soren@PANGEA.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.981104200341.32039A-100000@PARADIGM.PANGEA.CA>
~ Following installation of suse 5.1, the setup software sets the mail spool
~ directory world writable, which has a potential of causing some security
~ problems. although I have checked alot of possible forms of exploiting
~ this, there is probably some I have missed. removing the o+w bit from the
~ directory will surely solve the problems.
~
They should have sticky bit set there as well (I don't have suse anywhere
around so can not check). However, many lattest mail clients (such as pine
3.96 and latter,procmail) attempt to create lock file in /var/spool/mail,
one of solutions for this problem would be to make this dir world writable
and sticky bit -- on.
Fyodor
