 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 5 Aug 1998 16:34:59 -0700 (MST) From: "R. Grunloh's work mailing list acct." <rgwork@elwood.library.arizona.edu> To: linux-security@redhat.com Subject: [linux-security] "mailbox vulnerable" messages Hi, I'm running 2 RH5.0 mailservers here with patches from the errata through around July 23, including imap-4.1.final-1. Shortly afterinstalling the latter, we got "mailbox vulnerable, can't create lockfile" messages only from clients using an old version of PC-pine. We can migrate those users, but then I noticed that fetchmail gives the same error when run with the -v (verbose) flag. We have quite a few users who have Netscape 4.1 (Windows) imap mail at work, but also use pine from home. They aren't exactly power users and often forget to close Netscape before leaving. I have no control over this client setup. My question is, under these circumstances, wouldn't allowing the lockfile creation in /var/spool/mail be a wiser choice than risking inbox problems? Actually I think the best way would be to set the lockfiles to be created in /tmp or in their home directory, does anyone know how to do that? Could it be a compile option (in imap or which pkg?) I'm trying to be reasonably secure here, and do my homework, but haven't seen much discussion on this issue. Perhaps I have misconfigured permissions? [rgrunloh@elwood /var/spool]$ ls -al total 9 drwxr-xr-x 9 root root 1024 Mar 24 12:26 . drwxr-xr-x 15 root root 1024 Jun 9 09:52 .. drwx------ 3 daemon daemon 1024 Mar 21 15:22 at drwx------ 2 root root 1024 Jun 17 1997 cron drwxrwxr-x 3 root daemon 1024 May 11 15:35 lpd drwxrwxr-x 2 root mail 1024 Aug 5 16:26 mail drwxr-xr-x 2 root mail 1024 Aug 5 16:26 mqueue ... [rgrunloh@elwood /var/spool/mail]$ ls -al total 2386 drwxrwxr-x 2 root mail 1024 Aug 5 16:26 . drwxr-xr-x 9 root root 1024 Mar 24 12:26 .. -rw-rw---- 1 dstarkey mail 891 May 20 11:53 dstarkey -rw-rw---- 1 icsuser mail 0 Mar 24 16:35 icsuser -rw-rw---- 1 rgrunloh mail 0 Jun 6 07:12 rgrunloh ... Thanks. -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null
| |||||||||||||||||||||
|
|