Summary:Moved /var/mail. Can't read root

From: Freedman Dan (Dan.Freedman@GSC.GTE.Com)
Date: Wed Jul 02 1997 - 13:24:00 CDT

Original question:

Sun Managers,

We've run into a strange problem when we relocated our mail storage area
/var/mail to another directory (/export/home/mail). In order to
this move we simply moved all the mail files to the new directory and
a symbolic link from /var/mail --> /export/home/mail. /var/mail is
mounted via NFS by all our clients. Mail has functioned perfectly well
on all
accounts except root. We cannot read root mail on any machine except
mail server.

The strange thing is...if we give "other" at least "read" permission,
root mail can be read by a client machine (user logged in as root).

We are running Solaris2.4 with NIS+. Our NIS+ master server and our
server are the same machine.

My first guess is that the problem is with the symbolic link, but all
accounts work. Then I thought that the mail server wasn't recognizing
client as root, but we don't get a permission error. If we "cat
/var/mail/root", the file is empty. Changing the permissions to 664 and
running "cat /var/mail/root" gives the correct results.

Anyone know how to avoid give read permission to other and still view
mail by a client via NFS?


Thank you very much for the quick response. I didn't think my post went
through because I got an "message undelivered" bounced back to me.

Everyone pretty much pointed out the same thing. In order to prevent
from spoofing NFS packets as root, root files cannot be accessed over
unless given special permission during export. You could either change
ownership of the file to "nobody" or export the filesystem with
permission. Actually I discovered that setting anon=0 in the dfstab
seemed to do the trick as well.
     share -F nfs -o rw,anon=0 /var/mail
     share -F nfs -o rw,anon=0 /export/home/mail

I probably will change the anon=0 to root=client1:client2:client3
in the
future because I have the feeling anon=0 poses a security risk.
user given root permission.

Thanks again for the responses.

Dan Freedman

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:58 CDT