gtravan@sirius.ua.oz (George Travan) (06/29/89)
i've just noticed after installing emacs 18.52 that when i enter Rmail i get
an error after it attempts to look at the spool. the error i get is:
movemail error creating lock file?
whats going on 'ere.
--geo ACSnet: gtravan@sirius.ua.ozkim@kannel.lut.fi (Kimmo Suominen) (06/30/89)
In article <416@sirius.ua.oz> gtravan@sirius.ua.oz (George Travan) writes:
From: gtravan@sirius.ua.oz (George Travan)
Newsgroups: comp.emacs
Keywords: Rmail
Date: 29 Jun 89 01:22:52 GMT
Organization: Computing Services, Uni of Adelaide, Australia
Lines: 7
i've just noticed after installing emacs 18.52 that when i enter Rmail i get
an error after it attempts to look at the spool. the error i get is:
movemail error creating lock file?
whats going on 'ere.
--geo ACSnet: gtravan@sirius.ua.oz
You haven't got access to your mail spool directory. You should either add
write access to the world (other) for that directory or install movemail as
setgid with group mail.
Problem with the first solution is that anyone can now remove another person's
incoming mail file. Problem with the second solution is that anyone can read
someone else's mail by setting the incoming mailbox variable in Emacs (at
least I think it's possible that way - I haven't tried).
I solved the problem with setgid and try to trust our users ;-)
Kim
--
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
( Kimmo Suominen Electronic Mail on Internet: kim@kannel.lut.fi )
( "That's what I think!" on Funet: KUULA::KIM )
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''rlk@think.com (Robert Krawitz) (06/30/89)
In article <KIM.89Jun30095016@kannel.lut.fi>, kim@kannel (Kimmo Suominen) writes:
]Problem with the first solution is that anyone can now remove another person's
]incoming mail file. Problem with the second solution is that anyone can read
]someone else's mail by setting the incoming mailbox variable in Emacs (at
]least I think it's possible that way - I haven't tried).
No, it shouldn't be possible. The individual spool files are normally
set 600, so only the owner can read or write them. It doesn't prevent
anyone who has access to the directory from stat'ing them, though, but
movemail doesn't have any way to print out the stats coded into it.
--
ames >>>>>>>>> | Robert Krawitz <rlk@think.com> 245 First St.
bloom-beacon > |think!rlk Cambridge, MA 02142
harvard >>>>>> . Thinking Machines Corp. (617)876-1111perf@efd.lth.se (Per Foreby) (07/03/89)
In article <KIM.89Jul3122907@kannel.lut.fi> kim@kannel.lut.fi (Kimmo Suominen) writes: > If you have write permission to a directory, you can delete any file in > it even if you don't have any rights for the file itself. > If you have movemail installed as setgid to mail, then you *CAN* read > another person's incoming mail. I just tried it out and it works fine > (just use "set-rmail-inbox-list"). > Any solutions? This is from the manpage for chmod(2): If mode bit 01000 is set on a directory, an unprivileged user may not delete or rename files of other users in that directory. This works fine on our systems (SunOS 4.0.1 and Ultrix 3.0), but I'm not sure if all *ix versions support this. -- Per Foreby System manager at EFD, Lund Institute of Technology (Lund University) Snail: E-huset, Tekniska Hogskolan i Lund, Box 118, S-221 00 LUND, Sweden. Email: perf@efd.lth.se Phone: int + 46 46-10 75 98
rlk@think.com (Robert Krawitz) (07/03/89)
In article <KIM.89Jul3122907@kannel.lut.fi>, kim@kannel (Kimmo Suominen) writes: ]In article <23253@news.Think.COM> rlk@think.com (Robert Krawitz) writes: ] ] In article <KIM.89Jun30095016@kannel.lut.fi>, kim@kannel (Kimmo Suominen) ] writes: ] Problem with the first solution is that anyone can now remove ] another person's incoming mail file. ] ] Problem with the second solution is that anyone can read someone ] else's mail by setting the incoming mailbox variable in Emacs (at ] least I think it's possible that way - I haven't tried). ] ] No, it shouldn't be possible. The individual spool files are normally ] set 600, so only the owner can read or write them. It doesn't prevent ] anyone who has access to the directory from stat'ing them, though, but ] movemail doesn't have any way to print out the stats coded into it. ] ]Which one shouldn't be possible? (Well, yeah - it shouldn't be but it is ]- or did you mean "it can't be") This should work (on a 4.3 derived system): /usr/spool/mail is owned by root, group mail, protection 1730 (drwx-wx--T). The sticky bit prevents removal of a file not owned by the process attempting to delete it. Movemail setgid, group mail. This makes the uid == your uid, and it runs as group mail. It cannot read the spool directory, but it can search it (i. e. find files in it) and read and delete files owned by you. This taken from the man page for sticky(8) in the SunOS 4.0.1 distribution, but I don't think that only SunOS does this. ]If you have write permission to a directory, you can delete any file in ]it even if you don't have any rights for the file itself. Not true in 4.3; note also that movemail can check ownership in a system without sticky directories. It's a simple enough program so that it can do checks of that nature. ]If you have movemail installed as setgid to mail, then you *CAN* read ]another person's incoming mail. I just tried it out and it works fine ](just use "set-rmail-inbox-list"). Well, are your mail spool files set to 600 (readable by owner only)? I think not. -- ames >>>>>>>>> | Robert Krawitz <rlk@think.com> 245 First St. bloom-beacon > |think!rlk Cambridge, MA 02142 harvard >>>>>> . Thinking Machines Corp. (617)876-1111
kim@kannel.lut.fi (Kimmo Suominen) (07/03/89)
In article <23253@news.Think.COM> rlk@think.com (Robert Krawitz) writes: From: rlk@think.com (Robert Krawitz) Newsgroups: comp.emacs Keywords: Rmail Date: 30 Jun 89 13:53:48 GMT References: <416@sirius.ua.oz> <KIM.89Jun30095016@kannel.lut.fi> Sender: news@Think.COM Reply-To: rlk@think.com (Robert Krawitz) Organization: Thinking Machines Corp., Cambridge MA Lines: 14 In article <KIM.89Jun30095016@kannel.lut.fi>, kim@kannel (Kimmo Suominen) writes: Problem with the first solution is that anyone can now remove another person's incoming mail file. Problem with the second solution is that anyone can read someone else's mail by setting the incoming mailbox variable in Emacs (at least I think it's possible that way - I haven't tried). No, it shouldn't be possible. The individual spool files are normally set 600, so only the owner can read or write them. It doesn't prevent anyone who has access to the directory from stat'ing them, though, but movemail doesn't have any way to print out the stats coded into it. -- ames >>>>>>>>> | Robert Krawitz <rlk@think.com> 245 First St. bloom-beacon > |think!rlk Cambridge, MA 02142 harvard >>>>>> . Thinking Machines Corp. (617)876-1111 Which one shouldn't be possible? (Well, yeah - it shouldn't be but it is - or did you mean "it can't be") If you have write permission to a directory, you can delete any file in it even if you don't have any rights for the file itself. If you have movemail installed as setgid to mail, then you *CAN* read another person's incoming mail. I just tried it out and it works fine (just use "set-rmail-inbox-list"). Any solutions? Kim -- ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ( Kimmo Suominen Electronic Mail on Internet: kim@kannel.lut.fi ) ( "That's what I think!" on Funet: KUULA::KIM ) '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
kim@kannel.lut.fi (Kimmo Suominen) (07/04/89)
In article <23400@news.Think.COM> rlk@think.com (Robert Krawitz) writes:
From: rlk@think.com (Robert Krawitz)
Newsgroups: comp.emacs
Date: 3 Jul 89 14:09:59 GMT
References: <416@sirius.ua.oz> <KIM.89Jun30095016@kannel.lut.fi>
<23253@news.Think.COM> <KIM.89Jul3122907@kannel.lut.fi>
Sender: news@Think.COM
Reply-To: rlk@think.com (Robert Krawitz)
Organization: Thinking Machines Corp., Cambridge MA
Well, are your mail spool files set to 600 (readable by owner only)?
I think not.
No, our mail inbox files aren't set to 600 mode, but I can't see a way to do
that since when the mail system creates a new inbox file, its mode is 660 and
that's a default I don't know how to change.
Kim
--
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
( Kimmo Suominen Electronic Mail on Internet: kim@kannel.lut.fi )
( "That's what I think!" on Funet: KUULA::KIM )
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''lawhorn@optis31.uucp (Jeff Lawhorn) (07/05/89)
I'm surprised no one has mentioned this yet. There are 2 major flavors of Unix, BSD and System V. Each of these uses a different concept on how to deliver mail. Under BSD, the mail directory is /usr/spool/mail, and normaly has the permissions 3777 (drwxrwsrwt). Each mailbox in /usr/spool/mail has the permissions 600 (-rw-------). This allows the user to read his mail, but keeps others out. This works because under BSD the mail delivery layer runs setuid to root, allowing it to write any mailbox. Under System V, the mail directory is /usr/mail, and normaly has the permissions 777 (drwxrwxr-x). Each mailbox in /usr/mail has the permissions 660 (-rw-rw----). The mailboxes are owned by the user the mail is for, and are group mail. This allows the user to read his mail, and keeps others out. (No one is normaly in the group mail.) This works well because the mail delivery layer runs setgid to mail. Under BSD everything should work just fine with movemail because only a program running as the user, or as root, should be able to read a mailbox. However under System V, movemail must be run as setgid to mail to be able to remove the mailbox. Because movemail is not well behaved and does not bother with checking user ids, it allows any user to steal another users mail. (I say steal because it removes the mailbox, so the original user will never see the mail.) Perhaps someone would like to fix movemail to check the owner of the mailbox against the user running the program. -- Jeff Lawhorn lawhorn@opti opti!lawhorn@berick.uucp ucsd!sdsu!berick!opti!lawhorn
kim@kannel.lut.fi (Kimmo Suominen) (07/18/89)
I'm working on the id checking. I just got back from vacation and for the first thing updated our operating system, so this will take a moment. I'll announce here when I'm ready. Kim -- ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ( Kimmo Suominen Electronic Mail on Internet: kim@kannel.lut.fi ) ( "That's what I think!" on Funet: KUULA::KIM ) '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''