Pine 4.02 and directory perms

["J. Paul Reed" <preed verinet com>]

Hey linux-security-ers:

I just compiled/installed Pine 4.02 for my RH 5.0 machine today (didn't
see an RPM last time I checked ftp.redhat.com:/pub/contrib), and after I
got it installed, it kept giving me errors about not being able to create
a lockfile when dinking with my mailspool in /var/spool/mail.

After doing some digging on DejaNews and the Pine website, I find a
document who says the solution is to 'chmod 1777 /var/spool/mail' (you can
read the doc at http://www.washington.edu/pine/QandA/sysadmins.html).

Now, here's the question: isn't this inherently bad? Doesn't this allow
all sorts of exploits and such, as I can just go into /var/spool/mail and
start dumping things all over the place? Doesn't this open us up to a
bunch of problems /tmp shares as well?

The other suggestion they give is making pine sgid, and owned by a special
group (i.e. probably mail), but they find this solution insecure; I find
their solution insecure.

So, am I paranoid, or is the implementation wrong?

[mod: Please reply in personal mail to Paul. Paul, please summarize
the replies in about a week..... -- REW]


Later,
Paul
  -------------------------------------------------------------------------
  J. Paul Reed                 Among other things, just another perl hacker
  #!/usr/bin/perl       unless ($you =~ /spammer/) { print "Email me!\n"; } 
  @MyEmailAddresses = ("preed verinet com","paul 619pro com"); 
  $MyWebPage = "http://www.verinet.com/~preed";;