Re: Why you should avoid world-writable directories

[rich () ACTIONFIGURE ORG (Rich Burroughs)]

Just an FYI, Wietse has issued a few patches to Postfix since this
discussion began. The maildrop directory is no longer world readable, and
I believe that mailq no longer returns the file names of queue files. The
maildrop is still world writable.

The patches are available via:

ftp://ftp.porcupine.org/mirrors/postfix-release

He also posted a more extended message to the Postfix mailing lists (which
he said was sent to Bugtraq, too, though I haven't seen it here)
discussing the design decisions he had made, and the reasons for them.

"I see two directions for Postfix evolution: 1) maintain the present
world-writable maildrop and unprivileged posting agent and 2) use
a protected directory and a set-gid posting agent (set-uid seems
to have no obvious advantage here). Is it feasible to keep maildrop
queue file names secret, and are the other attacks indeed mere
annoyances? Is it feasible to write secure set-gid programs that
are not only secure today, but that will be secure on tomorrow's
UNIX systems as well?

Your feedback is appreciated."

I think it's important to note that Postfix is still in beta, and is an
evolving piece of software. People should keep that in mind when
implementing it. I highly encourage people who are either using or
considering the use of Postfix to subscribe to the mailing lists and
follow the discussion there.


Rich