Summary:Moved /var/mail. Can't read root

From: Freedman Dan (Dan.Freedman@GSC.GTE.Com)
Date: Wed Jul 02 1997 - 13:24:00 CDT


Original question:

Sun Managers,

We've run into a strange problem when we relocated our mail storage area
from
/var/mail to another directory (/export/home/mail). In order to
complete
this move we simply moved all the mail files to the new directory and
created
a symbolic link from /var/mail --> /export/home/mail. /var/mail is
still
mounted via NFS by all our clients. Mail has functioned perfectly well
on all
accounts except root. We cannot read root mail on any machine except
the
mail server.

The strange thing is...if we give "other" at least "read" permission,
then
root mail can be read by a client machine (user logged in as root).

We are running Solaris2.4 with NIS+. Our NIS+ master server and our
mail
server are the same machine.

My first guess is that the problem is with the symbolic link, but all
other
accounts work. Then I thought that the mail server wasn't recognizing
the
client as root, but we don't get a permission error. If we "cat
/var/mail/root", the file is empty. Changing the permissions to 664 and
running "cat /var/mail/root" gives the correct results.

Anyone know how to avoid give read permission to other and still view
root's
mail by a client via NFS?

****************************************

Thank you very much for the quick response. I didn't think my post went
through because I got an "message undelivered" bounced back to me.

Everyone pretty much pointed out the same thing. In order to prevent
someone
from spoofing NFS packets as root, root files cannot be accessed over
NFS
unless given special permission during export. You could either change
the
ownership of the file to "nobody" or export the filesystem with
"root=client"
permission. Actually I discovered that setting anon=0 in the dfstab
file
seemed to do the trick as well.
     share -F nfs -o rw,anon=0 /var/mail
     share -F nfs -o rw,anon=0 /export/home/mail

I probably will change the anon=0 to root=client1:client2:client3
in the
future because I have the feeling anon=0 poses a security risk.
Anonymous
user given root permission.

Thanks again for the responses.

Dan Freedman



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:58 CDT