Assignment 5, Solutions

Part of the homework for 22C:169, Spring 2011
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

  1. Background: Consider the following idea. You are working on a Unix-like system shared by many others, but without any e-mail system, so you are not constrained by compatability with the past. You have decided that each e-mail message will be a file, and that a directory in the file system will be used to represent each mailbox. Specifically, for the user u, with home directory /users/u, the incoming mailbox would be named /users/u/inbox. As a second and somewhat independent decision, you decide that mail delivery will be done by a process operating on behalf of the sender. Initially, ignore the possibility of generalizing this e-mail system to a network environment.

    a) What minimum access rights must be granted to the general public on /users/u to allow mail delivery from other users. (0.5 points)

    The public must be able to traverse the path to the inbox, so /, /users and /users/u must all have the public-execute bit set (recall that on a directory, this confers the right to traverse but not to list the directory).

    b) What access rights should be granted to the general public on /users/u/inbox. There is only one right answer that permits mail delivery without permitting other users to access information that is none of their business. (0.5 points)

    The public must have the right to write this directoy in order to put links in it to messages, but the public must not be able to read or traverse this directory in order to prevent the public from reading E-mail left there by others.

    c) What access rights should the sender of each piece of e-mail set on the file holding that e-mail? (0.5 points)

    The recipient had better be able to read the mail, so it must be publically readable.

    d) Suppose some user has created an e-mail message m with the access rights set appropriately in the current directory. What single shell command, written out in full, would suffice to send that e-mail to user u. (0.5 points)

    mv m /users/u/inbox

    e) What's wrong with the above scheme? Assume that users set the access rights correctly (as required by parts a, b and c above) what damage can a malicious user cause to correspondence between other users? (Note that we are not concerned with a user who damages that user's own incoming or outgoing mail). (0.5 points)

    If I send a message with the same file name as you used for your E-mail, my link will overwrite your link and your message will be lost.

  2. Background: An alternative design for an e-mail system relies on a trusted e-mail program, running in its own process, with a distinct user ID. We'll call it sendmail. Now, each user u, with home directory /users/u, has an incoming mailbox named /users/u/inbox and an outgoing mailbox named /users/u/outbox.

    The sendmail process repeatedly scans all outboxes looking for messages that can be delivered, and then it links those messages to the appropriate inbox before deleting the link from the outbox. To do this, the sendmail program must be able to read all messages, since the destination address must be part of the content of the message.

    Note, now, that there are three parties involved in a mail transfer between users a and b. As a result, any useful solution to this problem will involve group access rights. Note also that any useful solution will allow for the possibility of other activity on the system. As a result, while the sendmail program can have special access to inboxes and outboxes, it cannot have special access to users home directories.

    a) What minimum access rights must be granted on /users/u to allow sendmail the access it needs. (0.5 points)

    Traverse rights, just as in the first scheme.

    b) What access rights should be granted /users/u/inbox and /users/u/outbox (note that these may or may not be the same). (0.5 points)

    Here, ownership and group mechanisms become critical. Only the user and sendmail should have any access to the inbox and the outbox. It would make sense to create a special group, call it the sendmail group, where the group ID of the mailbox directories was sendmail, so that Sendmail could read all outboxes and write all inboxes. The owner of these directories should be the user, and the user should have general read-write access. Sendmail needs write access to the inboxes, and it needs read-write access to the outboxes (read to get links to messages, write to delete those links after it delivers the mail).

    c) What access rights should the sender of each piece of e-mail set on the file holding that e-mail? (0.5 points)

    Public read access would suffice.

    d) We don't need to keep the sendmail process running continuously. Instead, each time a user wants to send mail, the user could launch a sendmail application that sends just one piece of e-mail. In the context of the directories and access rights outlined above, what access rights do all users need to the sendmail application?

    The sendmail application needs to have the set-group-ID bit set so that, when it is launched, it runs in the sendmail group.

  3. Background: Both of the above schemes rely on appropriate selection of file names.

    The problem: Discuss the relative difficulty of coming up with a naming convention that could be used under the two schemes outlined above. (0.5 points)

    Consider naming each e-mail by the identify of the sender concatenated with a serial number. With this convention, no message will overwrite any other.

    In the first scheme, it is up to each user to agree to the naming convention, as there is no way to force anyone to use such a convention.

    The second scheme allows the sendmail program to rename all messages as it delivers them, so sendmail could easily enforce use of the naming convention.