Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!vsi1!daver!mips!synthesis!keithm
From: keithm@synthesis.Synthesis.COM (Keith Mortensen)
Newsgroups: comp.mail.mh
Subject: Re: A question about "inc".
Message-ID: <12377@mips.mips.COM>
Date: 31 Jan 89 03:18:22 GMT
References: <48941@yale-celray.yale.UUCP> <8901280137.AA24180@cheops.cis.ohio-state.edu> <351@salgado.stan.UUCP> <32976@tut.cis.ohio-state.edu>
Sender: news@mips.COM
Reply-To: keithm@synthesis.synthesis.com (Keith Mortensen)
Organization: Synthesis Software Solutions Inc, Sunnyvale, CA
Lines: 28

In article <32976@tut.cis.ohio-state.edu> Bill Wisner <wisner@cis.ohio-state.edu> writes:
>inc uses access(2) to check file permissions; making it setgid mail will not
>(at least on a Sun-3 and an HP 9000) allow access to unreadable mail files.

I believe that David Elliott was correct in saying that it will allow you
to read a file you shouldn't be able to.

MH 6.5 and MH 6.6 does do an access as you indicated to check the file
permissions, but when the access fails if tries to open the file read-only.
Here is the source in question:

    if (access (newmail, 02) == NOTOK) {
	    trnflag = 0;
	    if ((in = fopen (newmail, "r")) == NULL)
		adios (newmail, "unable to read");
    }

I have commented out the code which does the fopen in my version.

-- Keith Mortensen
-------------------------------------------------------------------------------
UUCP: keithm@synthesis.com OR {wyse,ames,pyramid,decwrl}!mips!synthesis!keithm
DDD:  408-991-0275 or 408-720-1557, Ext. 275
USPS: Synthesis Software Solutions, Inc., 292 Commercial Ave., CA 94086
-- Keith Mortensen
-------------------------------------------------------------------------------
UUCP: keithm@synthesis.com OR {wyse,ames,pyramid,decwrl}!mips!synthesis!keithm
DDD:  408-991-0275 or 408-720-1557, Ext. 275