security(8) doesn't know about mailbox locks

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

security(8) doesn't know about mailbox locks

Philippe Meunier
Hello,

When cron runs /etc/daily, that script runs df and netstat and the
output is sent by email to root.  On my system, emails to root are
forwarded to local user meunier using /root/.forward.  The forwarding
itself temporarily creates a lock file in /var/mail:

-rw-------  1 root     wheel     0 Oct 21 23:55 meunier.lock

At the same time, /etc/daily runs /usr/libexec/security.  The
check_mailboxes function in that file loops over all the files in
/var/mail and checks whether the owner of the file matches the name of
the file.  If check_mailboxes happens to be running exactly at the
same time as the system is forwarding /etc/daily's first email, then
check_mailboxes sees meunier.lock, the check for that file fails, and
the result is another email sent to root:

Running security(8):

Checking mailbox ownership.
user meunier.lock mailbox is owned by root

So I think the check_mailboxes function in /usr/libexec/security
should either skip lock files or check them in a different way...

Cheers,

Philippe

Reply | Threaded
Open this post in threaded view
|

Re: security(8) doesn't know about mailbox locks

Kamil Cholewiński
On Fri, 21 Oct 2016, Philippe Meunier <[hidden email]> wrote:
> When cron runs /etc/daily, that script runs df and netstat and the
> output is sent by email to root.  On my system, emails to root are
> forwarded to local user meunier using /root/.forward.  The forwarding
> itself temporarily creates a lock file in /var/mail:

Try using aliases(5) instead

Reply | Threaded
Open this post in threaded view
|

Re: security(8) doesn't know about mailbox locks

Philippe Meunier
Kamil Cholewiński wrote:
>Try using aliases(5) instead

Okay, but still, security(8) ought not to generate bogus warnings
regardless of the method used to forward emails (and there are also
probably other ways that a lock file might end up in /var/mail, using
a .forward file just happens to be the way that made me notice the
problem).

Cheers,

Philippe

Reply | Threaded
Open this post in threaded view
|

Re: security(8) doesn't know about mailbox locks

Ingo Schwarze
In reply to this post by Philippe Meunier
Hi,

Philippe Meunier wrote on Fri, Oct 21, 2016 at 12:35:46PM -0400:

> When cron runs /etc/daily, that script runs df and netstat and the
> output is sent by email to root.  On my system, emails to root are
> forwarded to local user meunier using /root/.forward.  The forwarding
> itself temporarily creates a lock file in /var/mail:
>
> -rw-------  1 root     wheel     0 Oct 21 23:55 meunier.lock
>
> At the same time, /etc/daily runs /usr/libexec/security.  The
> check_mailboxes function in that file loops over all the files in
> /var/mail and checks whether the owner of the file matches the name of
> the file.  If check_mailboxes happens to be running exactly at the
> same time as the system is forwarding /etc/daily's first email, then
> check_mailboxes sees meunier.lock, the check for that file fails, and
> the result is another email sent to root:
>
> Running security(8):
>
> Checking mailbox ownership.
> user meunier.lock mailbox is owned by root
>
> So I think the check_mailboxes function in /usr/libexec/security
> should either skip lock files or check them in a different way...

I just fixed this by committing the following patch.

Thanks for reporting,
  Ingo


CVSROOT: /cvs
Module name: src
Changes by: [hidden email] 2016/10/22 12:35:12

Modified files:
        libexec/security: security

Log message:
When checking ownership and modes of files in /var/mail/,
ignore *.lock files, to avoid pointless warning mails
reported by Philippe Meunier <meunier at ccs dot neu dot edu>;
OK florian@ jca@


Index: security
===================================================================
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.36
diff -u -p -r1.36 security
--- security 21 Jul 2015 19:07:13 -0000 1.36
+++ security 22 Oct 2016 06:25:15 -0000
@@ -455,6 +455,7 @@ sub check_mailboxes {
  nag !(opendir my $dh, $dir), "opendir: $dir: $!" and return;
  foreach my $name (readdir $dh) {
  next if $name =~ /^\.\.?$/;
+ next if $name =~ /.\.lock$/;
  my ($mode, $fuid, $fgid) = (stat "$dir/$name")[2,4,5];
  unless (defined $mode) {
  nag !$!{ENOENT}, "stat: $dir/$name: $!";