Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!crow.UUCP!rpaul
From: rpaul@crow.UUCP (Rodian Paul)
Newsgroups: comp.sys.sgi
Subject: Re: /usr/mail/username protections
Message-ID: <9103270649.AA25122@crow.omni.co>
Date: 27 Mar 91 06:49:15 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 33

> I now have umask 077 in /etc/stdcshrc so that mbox in the user's dir
> gets no privs for group, but /usr/mail/username files get g:rw !!
> Why is this and how can I prevent any group privs?
> 
You need to modify /etc/cshrc and /etc/profile to set up default umasks.
The std files are for copying to new accounts.

So what if /usr/mail/userid files are group rw. How many of your users belong
to the group mail?

Besides, if you type:

	% Mail -u userid

you can read (but not modify) the users mail. This is standard BSD mail as
far as I know.

I assume that because /bin/mail /usr/sbin/Mail are set-group mail, that
allows you to read other peoples mail files. However you can't read their
~/mbox files unless they aren't 600.

> I also find some length 0 /usr/mail/username files out there, but
> when I read my newmail and quit, mine gets deleted. Do I assume that
> adduser creates a zero sized file for the user, but when it gets used
> it gets deleted? If I can coerce the file to remain even if zero length,
> at least I can forever put the "correct" protections on existing ones.
> 
This I also find a little perplexing. Because /usr/mail is a symbolic link
on all of our machines to a server, I assume that the NFS file-locking
bug is the culprit, but I'm not sure.
-------------------------------------------------------------------------------
crow!rpaul@ccut.cc.u-tokyo.ac.jp	phone: +81 (3) 5706-8357
ccut.cc.u-tokyo.ac.jp!crow!rpaul	  FAX: +81 (3) 5706-8437