Path: utzoo!utgpu!watmath!clyde!ima!think!barmar From: barmar@think.COM (Barry Margolin) Newsgroups: comp.unix.wizards Subject: Re: Nasty Security Hole? Keywords: mail permissions security Message-ID: <32210@think.UUCP> Date: 28 Nov 88 06:09:58 GMT References: <175@ernie.NECAM.COM> <189@wyn386.UUCP> <2955@ingr.UUCP> <1031@alobar.ATT.COM> <6527@june.cs.washington.edu> Sender: news@think.UUCP Reply-To: barmar@kulla.think.com.UUCP (Barry Margolin) Distribution: na Organization: Thinking Machines Corporation, Cambridge MA, USA Lines: 21 In article <6527@june.cs.washington.edu> ka@june.cs.washington.edu (Kenneth Almquist) writes: >grs@alobar.ATT.COM (Gregg Siegfried) writes: >> By setting the sticky bit (chmod 1xxx >> file) on a directory, users are prevented from removing any files from that >> directory except those that they own, even if the directory permissions are >> 777. >I'm not sure what problem this "feature" is supposed to solve, anyway. [He presumes it is for /tmp, and suggests each user have his own temp-dir.] No, I think it was invented specifically for /usr/spool/mail. Everyone must be able to remove or rename his incoming mail file. Giving each user his own subdirectory of /usr/spool/mail might be a possibility, but it would be an incompatible change that would affect many mail-reading/sending facilities that know about /usr/spool/mail. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar