Bugtraq mailing list archives
Re: Why you should avoid world-writable directories
From: rich () ACTIONFIGURE ORG (Rich Burroughs)
Date: Tue, 22 Dec 1998 18:16:29 -0800
Just an FYI, Wietse has issued a few patches to Postfix since this discussion began. The maildrop directory is no longer world readable, and I believe that mailq no longer returns the file names of queue files. The maildrop is still world writable. The patches are available via: ftp://ftp.porcupine.org/mirrors/postfix-release He also posted a more extended message to the Postfix mailing lists (which he said was sent to Bugtraq, too, though I haven't seen it here) discussing the design decisions he had made, and the reasons for them. "I see two directions for Postfix evolution: 1) maintain the present world-writable maildrop and unprivileged posting agent and 2) use a protected directory and a set-gid posting agent (set-uid seems to have no obvious advantage here). Is it feasible to keep maildrop queue file names secret, and are the other attacks indeed mere annoyances? Is it feasible to write secure set-gid programs that are not only secure today, but that will be secure on tomorrow's UNIX systems as well? Your feedback is appreciated." I think it's important to note that Postfix is still in beta, and is an evolving piece of software. People should keep that in mind when implementing it. I highly encourage people who are either using or considering the use of Postfix to subscribe to the mailing lists and follow the discussion there. Rich
Current thread:
- Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
- Administrivia Aleph One (Dec 26)
- Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
- referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)
- Re: Why you should avoid world-writable directories Robert Watson (Dec 27)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)