Beware, beware when munging around /var/mail...

Beware, beware when munging around /var/mail...

Post by Juan M. Courco » Wed, 20 Sep 1995 04:00:00



A short war story which happened to yours truly this past weekend... Let's
say this was a learning experience ;)

Our campus mail server had been running out of space for the incoming mail
for a while now, so I took advantage of the Mexican Independence holiday
to shut it down and rearrange things.

There I go, merrily defining a new partition, dumping all inboxes onto it
and mounting it in it's place. No errors so far and I was happy as a clam.
To be on the safe side, I decided to get a backup of the whole machine
before letting the users loose on it.

When the machine reboots following the backup, and goes back to runlevel
3, all mail-hell broke loose. Unbeknownst to me (yeah, I know, I SHOULD
have double-checked), the /var/mail mount point had switched group, from
mail to sys, but retaining 1775 permissions. As a result, sendmail was
correctly placing the incoming letters on temp files in /tmp, but mail was
unable to deliver them since it had no write permissions.

By the time I caught it, there were over 1,700 temp mailfiles and very
mystified users who were not receiving mail. A quick chgrp remedied the
operation, but I was still left with MUCHOS undelivered mailfiles. I am
still wondering why the change of group.

Also, after the experience, I checked out three Sol 2.4 hosts I had
recently installed and was surprised to find that /var/mail had 1777
permissions !! It did correctly belong to mail/mail, though. Since I had
just reinstalled one of them from CD, I can only assume this was the
default. Fortunately, there was no security leak here, since these
machines do not receive mail (MX points elsewhere) but this really looks
like something to check into.

Also, in order to clean up /tmp and deliver the bunch of undelivereds, I
whipped up a quick Perl script. It is definitely not a work of art and
Larry Wall would probably find it hilariously funny, but I can either post
it here or send it to anyone in a similar predicament.

Just for the record, all this happened  on a SS20, with Sol 2.3, Perl
5.001m and sendmail v8.6.12.

--


Campus Queretaro

 
 
 

Beware, beware when munging around /var/mail...

Post by Juan M. Courco » Thu, 21 Sep 1995 04:00:00




Quote:> Also, after the experience, I checked out three Sol 2.4 hosts I had
> recently installed and was surprised to find that /var/mail had 1777
> permissions !! It did correctly belong to mail/mail, though. Since I had
> just reinstalled one of them from CD, I can only assume this was the
> default. Fortunately, there was no security leak here, since these
> machines do not receive mail (MX points elsewhere) but this really looks
> like something to check into.

Ok, so it always helps to read the chmod(2) manpage... /var/mail
permissions ARE correctly set to 1777 on all Solaris hosts, the directory
belongs to root and the mail group. The sticky bit prevents nasties from
erasing someone else's mail, since all incoming mailfiles (INBOXes) have
0770 permissions,  and belong to the corresponding userid and the mail
group.

Sorry, but my BSD was showing... ;)

--


Campus Queretaro

 
 
 

Beware, beware when munging around /var/mail...

Post by Larry Wa » Sat, 23 Sep 1995 04:00:00




: Also, in order to clean up /tmp and deliver the bunch of undelivereds, I
: whipped up a quick Perl script. It is definitely not a work of art and
: Larry Wall would probably find it hilariously funny, but I can either post
: it here or send it to anyone in a similar predicament.

Hey, if it gets the job done, I can keep a straight face, briefly.

Larry Wall

 
 
 

1. *BEWARE* The Hylandertroll aka john gagon of Houston Texas is trolling again *BEWARE*, as evidenced here he has stalked me and my family BEware of Criminal John Gagon

the troll had pretended for the last three weeks in alt.support.autism
that all was well and minimized his posts while all the time he was
monitoring my computer via his spyware at his home url.

What a creep!!

exactly what is
http://66.139.239.116:8080/hylander_secrt/cybersta-lkerbackdoor.html
?? once again the criminal john gagon of 11919 QUAIL CREEK DR HOUSTON
TX 77070-2313 has to resort to hiding his stalking by hidden code in
thread
http://groups-beta.google.com/group/alt.support.au-tism/msg/1cbee1d3bb2abbb2?dmode=source&hl=en

the key is 13.

2. number of files open per user

3. Beware nis.com mailing list!!

4. multiple monitors question

5. ownership of /var/mail/* getting munged

6. Please help!! Cable modem problem and Notebook

7. mail folder is in /var/mail or /var/spool/mail

8. Netscape server with no domain

9. Beware of Bason Hard Drive Warehouse

10. M$ wants to censor Slashdot - ISPs Beware!

11. BEWARE thelinuxstore.com , also known as msquaredsystems.com CUSTOMER

12. Forte 6 C++ users, beware the Solaris 8 10/00 upgrade

13. Beware buying from House of Computers