[comp.mail.elm] Permission problem with Elm 2.1

tran@versatc.UUCP (Tony Tran) (11/18/88)

 Hello,

 This afternoon in an effort to tighten the security, I removed the
 write permission to other in /usr/spool directory: 

 drwxrwxr-x  2 root     wheel        1024 Nov 17 21:02 mail

 When I fired up elm, it bombed out with the following message:

 Reading in /usr/spool/mail/tran, message: 0
 Can't create lock file!  I need write permission in "/usr/spool/mail/"

 If I restored the write permission to others, then elm worked OK,
 but anybody can go into /usr/spool/mail and messes up the mail messages
 for example: mv user1 user2 ...
 {they might not be able to read the content of these mail messages}

 I noticed that regular mail program doesn't have this problem.

 Any idea how to fix this permission problem?

 Tony Tran
 PS I am running SUN 3/160 with SUN OS 3.4 and Elm2.1 PL1

rhealey@umn-d-ub.D.UMN.EDU (Rob Healey) (11/21/88)

In article <3752@versatc.UUCP> tran@versatc.UUCP (Tony Tran) writes:
> This afternoon in an effort to tighten the security, I removed the
> write permission to other in /usr/spool directory: 
> drwxrwxr-x  2 root     wheel        1024 Nov 17 21:02 mail
> When I fired up elm, it bombed out with the following message:
> Reading in /usr/spool/mail/tran, message: 0
> Can't create lock file!  I need write permission in "/usr/spool/mail/"
> If I restored the write permission to others, then elm worked OK,
> but anybody can go into /usr/spool/mail and messes up the mail messages
> for example: mv user1 user2 ...
> {they might not be able to read the content of these mail messages}
> Any idea how to fix this permission problem?
> PS I am running SUN 3/160 with SUN OS 3.4 and Elm2.1 PL1

	Just a comment, why not use SGID rather than SUID programs? System
	V UNIX(tm) Changes the group of the mail directory to mail and then
	runs the mail programs SGID to mail. Rather than letting sendmail
	and other programs run SUID to root change 'em to SGID mail. Now, for
	you people out there saying "sounds good to me" a warning:
	Sendmail HAS to run SUID root on LANs/internet because it uses a
	privledged port. For those of you NOT running sendmail try chnaging
	the mail directorys to group mail and setting elm and your mailers
	to run SGID mail. i.e.

	drwxrwxr-x  2 root   mail  1024   Nov 17 21:02 mail

	Just an idea. No need to run things SUID root or leave directorys
	wide open, use SGID.Groups provide a nice intermediate solution.

			-Rob Healey

			rhealey@ub.d.umn.edu

jos@idca.tds.PHILIPS.nl (Jos Vos) (11/21/88)

In article <3752@versatc.UUCP> tran@versatc.UUCP (Tony Tran) writes:

> This afternoon in an effort to tighten the security, I removed the
> write permission to other in /usr/spool directory: 
> ...
> Can't create lock file!  I need write permission in "/usr/spool/mail/"

On System V systems all the mail agents (and thus also Elm) are setgid mail,
and the /usr/mail directory is of group mail as are all the mailboxes in it.

Look at the mode of your local mail delivery agent and see if the same
trick may work on your system.

-- 
-- ######   Jos Vos   ######   Internet   jos@idca.tds.philips.nl   ######
-- ######             ######   UUCP         ...!mcvax!philapd!jos   ######