group ownership of /var/mail

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

group ownership of /var/mail

J Moore
... trying to get an errant package (akpop3d) squared away raised the
following question:

Some othe OSs (Linux-Fedora, and FreeBSD) assign ownership of the
/var/mail directory to a group named "mail"; OpenBSD assigns ownership
of this directory to the group "wheel".

Apparently akpop3d needs write access to /var/mail to create a lock file
for the user's mail spool. akpop3d assumes /var/mail is owned by group
"mail", but allows that to be changed at startup with the -g option.

This leads me to a two-part question:
1. Is there an advantage to assigning group ownership of /var/mail to
"wheel", or was this choice simply arbitrary?

2. To get akpop3d running should I change group ownership of /var/mail
to "mail" (rather than giving akpop3d the '-g wheel' option)?

And yes - I did email the port maintainer, but have received no response
in almost a week.

Thnx,
Jay

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Theo de Raadt
Locking should (safely) be done by spawing a copy of mail.local
for the duration of the operation.  This is designed to be safe
even when using NFS spools.

NFS spools are the reason people kept running into trouble
trying to design something safe.  A few years ago we settled
on this method which is safe.

Lots of mailer programs want direct access to the spool, and will
do it wrong.  Proper locking in an NFS directory like that is hard.
This makes it easier.

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

J Moore
On Sat, Nov 26, 2005 at 04:51:38PM -0700, the unit calling itself Theo de Raadt wrote:

>> This leads me to a two-part question:
>> 1. Is there an advantage to assigning group ownership of /var/mail to
>> "wheel", or was this choice simply arbitrary?
>>
>> 2. To get akpop3d running should I change group ownership of
>> /var/mail to "mail" (rather than giving akpop3d the '-g wheel'
>> option)?

> Locking should (safely) be done by spawing a copy of mail.local
> for the duration of the operation.  This is designed to be safe
> even when using NFS spools.
>
> NFS spools are the reason people kept running into trouble
> trying to design something safe.  A few years ago we settled
> on this method which is safe.
>
> Lots of mailer programs want direct access to the spool, and will
> do it wrong.  Proper locking in an NFS directory like that is hard.
> This makes it easier.

Let me see if I've got this straight:

sendmail uses mail.local to deliver mail to the user's mail spool, and
mail.local uses lock files of the form "username.lock" while it does its
thing with the spool file.

However, akpop3d doesn't appear to use this form of the lockfile. If
that's the case I don't get the relevance of mail.local.

I can appreciate that file locking in an NFS directory is hard to do; I
gather then that the answer to Q 1. is that the choice was not
arbitrary.

If ownership of /var/mail by group "wheel" is not arbitrary, then it
would seem that the answer to Q 2. is to run akpop3d with the option
'-g wheel'. I would have thought that was not the "best" choice as it
entrusts akpop3d with the ability to write anywhere "wheel" is able to -
rather than just /var/mail.

Analysis, comments?

Thnx,
Jay

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Theo de Raadt
> Let me see if I've got this straight:

I don't see any point.  You just don't understand anything.
So why should I bother explaining anything to you.

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Han Boetes
Theo de Raadt wrote:
> > Let me see if I've got this straight:
>
> I don't see any point.  You just don't understand anything.
> So why should I bother explaining anything to you.

Yet another usefull adition to the mailinglist-archives.



# Han

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

J Moore
In reply to this post by Theo de Raadt
On Sat, Nov 26, 2005 at 07:53:22PM -0700, the unit calling itself Theo de Raadt wrote:
> > Let me see if I've got this straight:
>
> I don't see any point.  You just don't understand anything.
> So why should I bother explaining anything to you.
>
no reason, I guess... but thanks for your valuable time.

Jay

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Pierre Lamy
In reply to this post by J Moore
The problem is that a non-MTA is trying to write something to /var/mail,
which is bad.

The OpenBSD developers can't account for every third party's wierd way
of doing things; you did the right thing by mailing the developer, but
if they can't help you maybe you should switch to a different pop3
server. You're not going to get any constructive answers here that will
satisfy you.

J Moore wrote:

>On Sat, Nov 26, 2005 at 04:51:38PM -0700, the unit calling itself Theo de Raadt wrote:
>
>  
>
>>>This leads me to a two-part question:
>>>1. Is there an advantage to assigning group ownership of /var/mail to
>>>"wheel", or was this choice simply arbitrary?
>>>
>>>2. To get akpop3d running should I change group ownership of
>>>/var/mail to "mail" (rather than giving akpop3d the '-g wheel'
>>>option)?
>>>      
>>>
>
>  
>
>>Locking should (safely) be done by spawing a copy of mail.local
>>for the duration of the operation.  This is designed to be safe
>>even when using NFS spools.
>>
>>NFS spools are the reason people kept running into trouble
>>trying to design something safe.  A few years ago we settled
>>on this method which is safe.
>>
>>Lots of mailer programs want direct access to the spool, and will
>>do it wrong.  Proper locking in an NFS directory like that is hard.
>>This makes it easier.
>>    
>>
>
>Let me see if I've got this straight:
>
>sendmail uses mail.local to deliver mail to the user's mail spool, and
>mail.local uses lock files of the form "username.lock" while it does its
>thing with the spool file.
>
>However, akpop3d doesn't appear to use this form of the lockfile. If
>that's the case I don't get the relevance of mail.local.
>
>I can appreciate that file locking in an NFS directory is hard to do; I
>gather then that the answer to Q 1. is that the choice was not
>arbitrary.
>
>If ownership of /var/mail by group "wheel" is not arbitrary, then it
>would seem that the answer to Q 2. is to run akpop3d with the option
>'-g wheel'. I would have thought that was not the "best" choice as it
>entrusts akpop3d with the ability to write anywhere "wheel" is able to -
>rather than just /var/mail.
>
>Analysis, comments?
>
>Thnx,
>Jay

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

J Moore
On Sun, Nov 27, 2005 at 12:39:50AM -0500, the unit calling itself Pierre Lamy wrote:
> The problem is that a non-MTA is trying to write something to /var/mail,
> which is bad.
>
> The OpenBSD developers can't account for every third party's wierd way
> of doing things; you did the right thing by mailing the developer, but
> if they can't help you maybe you should switch to a different pop3
> server. You're not going to get any constructive answers here that will
> satisfy you.

You may be correct about constructive answers. Wrt the choice of a POP3
server, the package list (http://www.openbsd.org/3.8_packages/i386.html)
says:

'akpop3d-0.7.7.tgz    small and secure POP3 daemon'

I don't know - maybe I'm asking the wrong questions?

Jay

>
> J Moore wrote:
>
> >On Sat, Nov 26, 2005 at 04:51:38PM -0700, the unit calling itself Theo de Raadt wrote:
> >
> >  
> >
> >>>This leads me to a two-part question:
> >>>1. Is there an advantage to assigning group ownership of /var/mail to
> >>>"wheel", or was this choice simply arbitrary?
> >>>
> >>>2. To get akpop3d running should I change group ownership of
> >>>/var/mail to "mail" (rather than giving akpop3d the '-g wheel'
> >>>option)?
> >>>      
> >>>
> >
> >  
> >
> >>Locking should (safely) be done by spawing a copy of mail.local
> >>for the duration of the operation.  This is designed to be safe
> >>even when using NFS spools.
> >>
> >>NFS spools are the reason people kept running into trouble
> >>trying to design something safe.  A few years ago we settled
> >>on this method which is safe.
> >>
> >>Lots of mailer programs want direct access to the spool, and will
> >>do it wrong.  Proper locking in an NFS directory like that is hard.
> >>This makes it easier.
> >>    
> >>
> >
> >Let me see if I've got this straight:
> >
> >sendmail uses mail.local to deliver mail to the user's mail spool, and
> >mail.local uses lock files of the form "username.lock" while it does its
> >thing with the spool file.
> >
> >However, akpop3d doesn't appear to use this form of the lockfile. If
> >that's the case I don't get the relevance of mail.local.
> >
> >I can appreciate that file locking in an NFS directory is hard to do; I
> >gather then that the answer to Q 1. is that the choice was not
> >arbitrary.
> >
> >If ownership of /var/mail by group "wheel" is not arbitrary, then it
> >would seem that the answer to Q 2. is to run akpop3d with the option
> >'-g wheel'. I would have thought that was not the "best" choice as it
> >entrusts akpop3d with the ability to write anywhere "wheel" is able to -
> >rather than just /var/mail.
> >
> >Analysis, comments?
> >
> >Thnx,
> >Jay
>
> [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Matthew Weigel
J Moore wrote:

> You may be correct about constructive answers. Wrt the choice of a POP3
> server,

You should probably look to
http://www.openbsd.org/cgi-bin/man.cgi?query=popa3d first.
--
  Matthew Weigel

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

J Moore
On Sun, Nov 27, 2005 at 01:16:27AM -0600, the unit calling itself Matthew Weigel wrote:
> J Moore wrote:
>
> >You may be correct about constructive answers. Wrt the choice of a POP3
> >server,
>
> You should probably look to
> http://www.openbsd.org/cgi-bin/man.cgi?query=popa3d first.

Yep - I looked at it first... but IIRC it doesn't support POP via SSL

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Rogier Krieger
On 11/27/05, J Moore <[hidden email]> wrote:
> On Sun, Nov 27, 2005 at 01:16:27AM -0600, the unit calling itself Matthew Weigel wrote:
<snip>
> > You should probably look to
> > http://www.openbsd.org/cgi-bin/man.cgi?query=popa3d first.
>
> Yep - I looked at it first... but IIRC it doesn't support POP via SSL

How about stunnel?

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Reply | Threaded
Open this post in threaded view
|

Re: group ownership of /var/mail

Smith-6
In reply to this post by J Moore
Do away with akpop3d altogether.  Use OpenBSD's sendmail and popa3d.  
Install OpenVPN on your OpenBSD server and client computer to connect to
OpenBSD's default MTA and POP3 server.  This is a much easier and vastly
more flexible solution.  I use it all the time and only require's me to
install one single 3rd party application (OpenVPN).  By your route, you
have to install akpop3d and configure it and then sasl and configure it
for sending out encrypted email.  By your route, you have to watch not
only your OpenBSD vulnerabilities but vulnerabilites for akpop3d and
sasl (or any other 3rd party solution you choose to authenticate your
smtp connection).  Do it my way and you only have to watch out for
OpenBSD and OpenVPN vulnerabilities.

J Moore wrote:

>... trying to get an errant package (akpop3d) squared away raised the
>following question:
>
>Some othe OSs (Linux-Fedora, and FreeBSD) assign ownership of the
>/var/mail directory to a group named "mail"; OpenBSD assigns ownership
>of this directory to the group "wheel".
>
>Apparently akpop3d needs write access to /var/mail to create a lock file
>for the user's mail spool. akpop3d assumes /var/mail is owned by group
>"mail", but allows that to be changed at startup with the -g option.
>
>This leads me to a two-part question:
>1. Is there an advantage to assigning group ownership of /var/mail to
>"wheel", or was this choice simply arbitrary?
>
>2. To get akpop3d running should I change group ownership of /var/mail
>to "mail" (rather than giving akpop3d the '-g wheel' option)?
>
>And yes - I did email the port maintainer, but have received no response
>in almost a week.
>
>Thnx,
>Jay