Why would the sticky bit NOT be set on /var/spool/mail ???

Joe(theWordy)Philbrook jtwdyp at ttlc.net
Thu Jan 19 20:12:15 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



It would appear that on Jan 16, Derek Broughton did say:

> Joe(theWordy)Philbrook wrote:
> ... 
> > My question is why wouldn't this sticky bit have been set by default on
> > kubuntu????
> 
> I'm not sure I can help, but I think pine's out to lunch on that message.
> 
> If the owner is root.mail (mine has the same permissions/ownership), then
> how can "you" alter anything in there?  If you have world _write_
> permission, then you probably need the sticky bit.

Well one reason might be the lockfile that pine can't create if regular
users don't have write permissions to the mail spool dir...

(After reading your reply, I followed up with this in pine's list and
was pointed at a section on lock file in pine's help system: which says
in part...)


=> 3. Why does Pine require that the mail spool directory have 1777
=>     protections?
=>     Pine was designed to run without special privileges. This means
=>     that in order to create a lockfile in the spool directory, it is
=>     necessary to have the spool directory permissions be
=>     world-writable.
=> 
=>  4. Can't you create the lockfile somewhere else?
=>     No. The lockfile in question must be in the mail spool directory,
=>     because that's where the mail delivery program expects to find it,
=>     and the purpose of the file is to coordinate access between the
=>     mail client (Pine) and the mail delivery program.
=> 
=>  5. Isn't having the spool directory world-writable a big security
=>     risk?
=>     No. Remember that the individual mail files in the spool directory
=>     are NOT world-writable, only the containing directory. Setting the
=>     "sticky bit" -- indicated by the "1" before the "777" mode --
=>     means that only the owner of the file (or root) can delete files


Now I don't understand enough about how the programs that run with mail
group privileges actually work to know how badly they depend on using
the "set group ID" attribute that mc tells me is set for /var/mail and
chmod's manpage makes me think shares the leading octal permission char
with the sticky bit, making the octal permissions something like 2775. 
I don't know how well that plays with using the sticky bit, but adding
the (1) to the value (2) in 2775 to offset the risk of letting regular
users have the write permissions (2) {which added to the (5) makes (7)}
needed for user software to create the lock files that, pine says it
should be making, would yield 3777.  Which hopefully won't break
anything... Cause pending a better understanding, that is what I'm
setting /var/mail to...


   #############################################################
   ##_if_you'd_prefer_an_clearsigned_".asc"_text_file_of_this_##
   ##message_as_an_mime_encoded_attachment,just_ask_me_while__##
   ##it's_STILL_IN_my_outbox_folder_._._._=+=+=+=+=+=+=+=+;-)_##
   #gpg sig for: Joe (theWordy) Philbrook DSA key ID 0x6C2163DE#
   # You can find my public gpg key at http://pgpkeys.mit.edu/ #
   #############################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDz/GrRZ/61mwhY94RAvx9AKCmhmis5XiAnyplrS3EvVNGtmYDKgCgj2tx
GyDhnNxI+xv1u2OgzDUY2lY=
=WQYs
-----END PGP SIGNATURE-----
-- 
|   ---   ___
|   <0>   <->	   Joe (theWordy) Philbrook
|	^		J(tWdy)P
|    ~\___/~	     <<jtwdyp at ttlc.net>>




More information about the kubuntu-users mailing list