tran@versatc.UUCP (Tony Tran) (11/18/88)
Hello, This afternoon in an effort to tighten the security, I removed the write permission to other in /usr/spool directory: drwxrwxr-x 2 root wheel 1024 Nov 17 21:02 mail When I fired up elm, it bombed out with the following message: Reading in /usr/spool/mail/tran, message: 0 Can't create lock file! I need write permission in "/usr/spool/mail/" If I restored the write permission to others, then elm worked OK, but anybody can go into /usr/spool/mail and messes up the mail messages for example: mv user1 user2 ... {they might not be able to read the content of these mail messages} I noticed that regular mail program doesn't have this problem. Any idea how to fix this permission problem? Tony Tran PS I am running SUN 3/160 with SUN OS 3.4 and Elm2.1 PL1
rhealey@umn-d-ub.D.UMN.EDU (Rob Healey) (11/21/88)
In article <3752@versatc.UUCP> tran@versatc.UUCP (Tony Tran) writes: > This afternoon in an effort to tighten the security, I removed the > write permission to other in /usr/spool directory: > drwxrwxr-x 2 root wheel 1024 Nov 17 21:02 mail > When I fired up elm, it bombed out with the following message: > Reading in /usr/spool/mail/tran, message: 0 > Can't create lock file! I need write permission in "/usr/spool/mail/" > If I restored the write permission to others, then elm worked OK, > but anybody can go into /usr/spool/mail and messes up the mail messages > for example: mv user1 user2 ... > {they might not be able to read the content of these mail messages} > Any idea how to fix this permission problem? > PS I am running SUN 3/160 with SUN OS 3.4 and Elm2.1 PL1 Just a comment, why not use SGID rather than SUID programs? System V UNIX(tm) Changes the group of the mail directory to mail and then runs the mail programs SGID to mail. Rather than letting sendmail and other programs run SUID to root change 'em to SGID mail. Now, for you people out there saying "sounds good to me" a warning: Sendmail HAS to run SUID root on LANs/internet because it uses a privledged port. For those of you NOT running sendmail try chnaging the mail directorys to group mail and setting elm and your mailers to run SGID mail. i.e. drwxrwxr-x 2 root mail 1024 Nov 17 21:02 mail Just an idea. No need to run things SUID root or leave directorys wide open, use SGID.Groups provide a nice intermediate solution. -Rob Healey rhealey@ub.d.umn.edu
jos@idca.tds.PHILIPS.nl (Jos Vos) (11/21/88)
In article <3752@versatc.UUCP> tran@versatc.UUCP (Tony Tran) writes: > This afternoon in an effort to tighten the security, I removed the > write permission to other in /usr/spool directory: > ... > Can't create lock file! I need write permission in "/usr/spool/mail/" On System V systems all the mail agents (and thus also Elm) are setgid mail, and the /usr/mail directory is of group mail as are all the mailboxes in it. Look at the mode of your local mail delivery agent and see if the same trick may work on your system. -- -- ###### Jos Vos ###### Internet jos@idca.tds.philips.nl ###### -- ###### ###### UUCP ...!mcvax!philapd!jos ######