[WBEL-users] Spool Permissions
A Streetcar Named
desire@gmail.com
Wed, 30 Jun 2004 09:47:53 +0800
On Tue, 29 Jun 2004 11:56:29 -0400, John Hinton <webmaster@ew3d.com> wrote:
>
> LogWatch keeps sending this error each day.
> Mailbox vulnerable - directory /var/spool/mail must have 1777 protection: 258 Time(s)
> Doing a bit of reading, it seems that this error is in fact asking for permissions which are not acceptable. But it all depends on what you read.
>
> So, who's right... the RedHat(WhiteBox) default install or the LogWatch statement?
>
I think that depends on who the MDA is running as. If it is running
as root/mail, it will generally have write permissions to the mail
spool directory already, so regular users don't need any permissions
other than rx (or maybe even just x). If the delivery is running as
the user, world will need wx permissions to the directory, though it
is just rwx in most configurations. Since it is undesirable for a
user to delete/replace another user's mailbox, the directory is also
set sticky - this is also usually the write permissions for /tmp since
similar considerations apply.
If you are somehow concerned about letting the MDA run as root/mail,
and you don't want a world writable mail spool, you can also try
configuring the MDA to deliver mail to ~user/.email or something
similar instead, but that opens up another can of worms.