psc@lzaz.UUCP (Paul S. R. Chisholm) (01/19/87)
< "I'm *not* expendable, I'm *not* stupid, and I'm *NOT* going!" > As most people know, your mailbox (where incoming mail is stored before you read it, usually /usr/mail/$LOGNAME) is by default world readable. This has been very amusing to would-be hackers, and very embarrassing to couples sending each other electronic love notes. [I don't believe that this is the case with the AT&T 3B20A that I used to use, running SVR2.1. I just tried it with my 68020 system running SVR2.2 and "mail" created the file 660. Other systems may very well have this problem. -RWH] Most mailers have a simple solution. If your mailbox has anything in it, you can change the permissions on it. (If it doesn't exist, send yourself some mail.) If your mail program empties out the mailbox, but the mailbox doesn't have the default permissions, it will be truncated to an empty file with your specified permission. If it has the default permission, it's removed. It seems /bin/mail and mailx have different ideas of what the default permissions are. /bin/mail thinks the default is 664 (readable and writable by the owner and group mail, readable by the world). mailx thinks the default is 660 (not readable by the world). I'd changed my mailbox to 660 by hand. The first time I read my mail with mailx, my mailbox was removed! The next time someone sent me mail with /bin/mail, my mailbox would be world readable again. Yuchh. My solution was to change the permission to 620 (readable and writable by me, writable by group mail). Mailers can add new messages to my mailbox, I can (destructively) read my mail, and no one else can see my mail messages. If a further kludge is needed, I could add random execution permissions to my mailbox. (Point of information for wizards: /bin/mail runs as the user running it, but as group mail. mailx runs as with the user's id and group id, and runs a separate set-group-id program to remove the mailbox. I don't know what evil lurks in the hearts of the Berserkeley mailers.) -Paul S. R. Chisholm, UUCP {ihnp4,cbosgd,allegra,vax135,mtgzz}!lznv!psc AT&T Mail !psrchisholm, Internet mtgzz!lznv!psc@rutgers.rutgers.edu The above opinions may not be shared by any telecomm company.