Re: Unsafe assumptions (Re: Mail delivery...)

[Marcus Meissner <Marcus.Meissner () caldera de>]

On Sat, May 19, 2001 at 02:07:47PM +0200, Olaf Titz wrote:
> > local delivery agent(s).  After all that's all you've got with "*.lock"
> > files, since they too are only advisory locks.  Putting them into the
> > kernel simply makes it possible to eliminate the risk of a mode 01777
> > spool directory.  (The risk is already quite low of course if you
> > pre-create all mailbox spool files, and especially if you write careful
> > lock validation code in the local delivery agent.  Kernel locks simply
> > make the code for safe local delivery less complex.)
>
> Not quite. Any scheme which relies on pre-existing mailboxes would
> also have to make sure that the owner of the mailbox cannot remove it.
> This means not only standard MUAs but also "rm", "mv"[1], accidental
> mistakes or user-installed MUAs. As I see it this is pretty much
> impossible to guarantee.
>
> So reliance on pre-existing mailboxes is inherently unsafe because it
> relies on assumptions which can not be guaranteed, regardless of
> useradd programs etc.

The solution to that is very simple:

- Create /var/mail/ with mode 775, root.mail owned.
- Write a small helper program, which is setgid mail, which just touches
  a file with the calling users username in /var/mail/.

In fact, we use the appended helper (setgid mail) in Caldera OpenLinux now.

Ciao, Marcus
-- 
      _____     ___
     /  __/____/  /                Caldera (Deutschland) GmbH
    /  /_/ __  / /__          Naegelsbachstr. 49c, 91052 Erlangen
   /_____//_/ /____/       Dipl. Inf. Marcus Meissner, email: mm () caldera de
  ==== /_____/ ======    phone: ++49 9131 7912-300, fax: ++49 9131 7192-399
   Caldera OpenLinux

Attachment: createmailfolder.c
Description: