Bug 85275

Summary:	mailbase fails if /var/spool/mail nfs mounted
Product:	Gentoo Linux	Reporter:	Simon Matthews <simon+bugzilla>
Component:	New packages	Assignee:	Net-Mail Packages <net-mail+disabled>
Status:	RESOLVED INVALID
Severity:	normal	CC:	rafael.espindola
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Simon Matthews 2005-03-14 15:27:20 UTC

If /var/spool/mail is mounted from a remote machine, the mailbase ebuild fails. 

Reproducible: Always
Steps to Reproduce:
1. nfs-mount /var/spool/mail 
2. emerge mailbase
3. observe failure!



Expected Results:  
perhaps it could ignore errors trying to set permissions on /var/spool/mail. In
any case, it seems to set incorrect permissions: it sets the permissions to be
777, whereas they should be 1777.

Comment 1 Tuan Van (RETIRED) gentoo-dev

2005-03-14 16:03:30 UTC

which version mailbase?

$ mount
...
nfs_host:/nfs_share on /var/spool/mail type nfs (rw,addr=192.168.0.5,addr=192.168.0.5)

# emerge mailbase
...
 * Caching service dependencies ...                                                  [ ok ]
>>> net-mail/mailbase-0.00-r8 merged.

# ls -ld /var/spool/mail
drwxrwxr-x  2 root mail 72 Mar 14 12:35 /var/spool/mail
The permission should be 775 and owned by root:mail. Please see bug #16749

Comment 2 Simon Matthews 2005-03-14 16:08:56 UTC

mailbase-0.00-r8

Comment 3 Simon Matthews 2005-03-14 17:02:59 UTC

>>> extracting mailbase-0.00-r8
>>> Merging net-mail/mailbase-0.00-r8 to /
--- /etc/
--- /etc/mail/
>>> /etc/mail/aliases
>>> /etc/mailcap
--- /etc/pam.d/
>>> /etc/pam.d/pop
>>> /etc/pam.d/pop3 -> /etc/pam.d/pop
>>> /etc/pam.d/pop3s -> /etc/pam.d/pop
>>> /etc/pam.d/pops -> /etc/pam.d/pop
>>> /etc/pam.d/imap
>>> /etc/pam.d/imap4 -> /etc/pam.d/imap
>>> /etc/pam.d/imap4s -> /etc/pam.d/imap
>>> /etc/pam.d/imaps -> /etc/pam.d/imap
--- /var/
--- /var/spool/
--- /var/spool/mail/
!!! copy /var/tmp/portage-pkg/mailbase-0.00-r8/bin/var/spool/mail/.keep -> /var/spool/mail/.keep failed.
!!! [Errno 1] Operation not permitted


----------------
#mount
...
coremail:/var/spool/mail/ on /var/spool/mail type nfs (rw,addr=192.168.10.249)

# ls -ld /var/spool/mail
drwxrwxrwt  2 root mail 4096 Mar 14 17:00 /var/spool/mail

Comment 4 Simon Matthews 2005-03-14 17:11:45 UTC

Incidentally, aren't perms of 775 incompatible with Postfix? Postfix adopts the privileges  of the user that is receiving the email, thus the mail spool directory needs to be writable by all users that will receive email.

Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev

2005-03-15 11:14:29 UTC

Also works fine here. You need the no_root_squash option on exports file.

About the postfix perms thing, /var/spool/mail is gid mail so it should work fine.

Cheers,
Ferdy

Comment 6 Simon Matthews 2005-03-15 13:09:38 UTC

I believe this breaks Postfix. 

Postfix delivers mail with the privileges of the recipient email. This, for email to be delivered to a new user, the new user must be in the "mail" group. If all users are in the "mail" group, then the DOS attack can still be performed. 

Postfix does NOT use a setgid mail binary to deliver email. It drops privileges to that of the recipient user.

Comment 7 Tuan Van (RETIRED) gentoo-dev

2005-03-15 13:43:34 UTC

why don't you set postfix to deliver mail to $HOME/.maildir ?

Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev

2005-03-17 00:16:32 UTC

Anyway, the permissions of mailbase are also used by the default postfix installation and other package maintainers from other distros are also using 775 root:mail.

Moreover, the O'Reilly book on Postfix disagree with you. It says the spool directory cannot be world writable and if it is, Postfix won't create new mailboxes while it still deliver mail to existing mailboxes.

Cheers,
Ferdy

Comment 9 Fernando J. Pereda (RETIRED) gentoo-dev

2005-05-05 12:01:12 UTC

*** Bug 91595 has been marked as a duplicate of this bug. ***

Comment 10 Jakub Moc (RETIRED) gentoo-dev

2005-08-16 09:25:31 UTC

*** Bug 102719 has been marked as a duplicate of this bug. ***