Closed Bug 257248 Opened 21 years ago Closed 21 years ago

Add option to use external movemail command to fetch mails from /var/spool/mail

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 56671

People

(Reporter: brbromo, Assigned: mscott)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.6) Gecko/20040506 Firefox/0.8 Build Identifier: Mozilla Thunderbird 0.5 (20040306) Using movemail without an external movemail command leads to security issues. In fact, to fetch mail from /var/spool/mail you need to create a lock inside that directory, and so you need write permissions to that folder. Giving these permissions to the Thunderbird application is VERY INSECURE. Bugs of this (BIG) application could be used to access to the directory with write permissions. The solution: use a small external command (like the GNU movemail command), which has gid=mail and "set gid" bit == 1. This is the approach of mutt mail client (it uses the mutt_dotlock external script to create the lock). The old Netscape Messanger had an option for this: http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/movemail.html (see the "The movemail Program" section). Reproducible: Always Steps to Reproduce: 1. Create a movemail account 2. Use that account Actual Results: I need to give TB write permissions to the /var/spool/mail folder. Expected Results: Use an external movemail command (like the GNU movemail command)
*** This bug has been marked as a duplicate of 56671 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.