Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 769 - Group of binary /usr/bin/inc is "root" - should be "mail"
Summary: Group of binary /usr/bin/inc is "root" - should be "mail"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nmh
Version: 5.2
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-01-09 22:20 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-01-10 20:06:18 UTC


Attachments (Terms of Use)

Description Chris Evans 1999-01-09 22:20:22 UTC
This is a minor security concern.
It might also break the ability of "inc" to access the
mail spool.

Comment 1 Jeff Johnson 1999-01-10 16:22:59 UTC
Mail user agents (MUA) were modified in Red Hat 5.2 to depend *only*
on fcntl style locking on mail boxes. That means that the old
requirement that MUA need write access to the spool directory in
order to implement dot-file locking is no longer necessary. So I
would claim that setgid mail is not required in nmh.

Please reopen this bug with a more complete description of a
reproducible problem if I am mistaken.

Comment 2 Chris Evans 1999-01-10 16:45:59 UTC
OK - so maybe sgid mail isn't required.
However, the bug is that sgid root is what the program currently has
and this _definitely_ isn't required. Having it without needing it
is a security concern.

Comment 3 Jeff Johnson 1999-01-10 19:01:59 UTC
Thanks for reopening -- I noticed that the setgid root
created a different problem right after closing the original
bug report.

The /usr/bin/inc became setgid root (rather than mail) during
packaging. The setgid is removed in nmh-0.27-3. The security
issues appear minor but are currently being assessed.

Comment 4 Jeff Johnson 1999-01-10 20:06:59 UTC
Since there are no known exploits of the /usr/bin/inc setgid root
anomaly, there will not be a security errata to correct this bug
in Red Hat 5.2.


Note You need to log in before you can comment on or make changes to this bug.