Path: utzoo!attcan!uunet!unisoft!john From: john@unisoft.UUCP (John Sovereign) Newsgroups: comp.unix.aux Subject: Re: A/UX Mail files Summary: mail files need permissions changes Keywords: permissions, mail Message-ID: <1833@unisoft.UUCP> Date: 27 Jan 89 06:08:28 GMT References: <289@berlin.acss.umn.edu> Reply-To: john@unisoft.UUCP (John Sovereign) Organization: UniSoft Corporation Lines: 43 In article <289@berlin.acss.umn.edu> grg@berlin.acss.umn.edu (George Gonzalez) writes: >mail files have too many permissions: i.e.: > >-rw-rw---- gus >-rw-rw---- harry > The "feature" is the local mail delivery agent, /bin/mail, which is forcing the modes that you observe. As a security feature in System V, /bin/mail is intended to be set-group-id (and not set-user-id root) and the files in the spool directory, /usr/mail, must be writable by the group. Since /bin/mail does not have the set-group-id bit set on A/UX, the group id of the mail file(s) are set to the group id of the sender whose mail happens to create the recipient's mail file. >We'd rather have the files be -rw-------, i.e. only accessible by the owner. > >Any ideas? I haven't tested either of these very thoroughly, but here goes. (1) This is a quick fix which I believe addresses your concern, but does not solve some other problems which also exist with forwarding of mail. # chmod 731 /usr/mail This change will prevent people from reading anyone else's mail file. Make sure that the directory is writable by the group "bin"; this allows "mailx" (what AT&T calls Berkeley Mail) to remove mail files by invoking /usr/lib/mailx/rmmail (another set-group-id security feature!). (2) This is more involved, but is probably the "right" fix. Add an entry to /etc/passwd with a login name of "mail" and user and group id of 6. Add an entry in /etc/group for "mail" as well. Then do the following. # chgrp mail /bin/mail /usr/mail /usr/lib/mailx/rmmail # chmod 2755 /bin/mail /usr/lib/mailx/rmmail # chmod 775 /usr/mail I'm probably forgetting something at this hour, but it's worth a go. John Sovereign UniSoft Corporation uunet!unisoft!john