Hi,
I''m running 2 RH5.0 mailservers here with patches from the errata
through
around July 23, including imap-4.1.final-1. Shortly afterinstalling the
latter, we got "mailbox vulnerable, can''t create lockfile"
messages only
from clients using an old version of PC-pine.
We can migrate those users, but then I noticed that fetchmail gives the
same error when run with the -v (verbose) flag.
We have quite a few users who have Netscape 4.1 (Windows) imap mail at
work, but also use pine from home. They aren''t exactly power users and
often forget to close Netscape before leaving. I have no control over
this client setup.
My question is, under these circumstances, wouldn''t allowing the
lockfile
creation in /var/spool/mail be a wiser choice than risking inbox problems?
Actually I think the best way would be to set the lockfiles to be created
in /tmp or in their home directory, does anyone know how to do that? Could
it be a compile option (in imap or which pkg?)
I''m trying to be reasonably secure here, and do my homework, but
haven''t
seen much discussion on this issue. Perhaps I have misconfigured
permissions?
[rgrunloh@elwood /var/spool]$ ls -al
total 9
drwxr-xr-x 9 root root 1024 Mar 24 12:26 .
drwxr-xr-x 15 root root 1024 Jun 9 09:52 ..
drwx------ 3 daemon daemon 1024 Mar 21 15:22 at
drwx------ 2 root root 1024 Jun 17 1997 cron
drwxrwxr-x 3 root daemon 1024 May 11 15:35 lpd
drwxrwxr-x 2 root mail 1024 Aug 5 16:26 mail
drwxr-xr-x 2 root mail 1024 Aug 5 16:26 mqueue
...
[rgrunloh@elwood /var/spool/mail]$ ls -al
total 2386
drwxrwxr-x 2 root mail 1024 Aug 5 16:26 .
drwxr-xr-x 9 root root 1024 Mar 24 12:26 ..
-rw-rw---- 1 dstarkey mail 891 May 20 11:53 dstarkey
-rw-rw---- 1 icsuser mail 0 Mar 24 16:35 icsuser
-rw-rw---- 1 rgrunloh mail 0 Jun 6 07:12 rgrunloh
...
Thanks.
