| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.GSO.4.43.0208111704120.12191-100000@tundra.winternet.com> From: dufresne at winternet.com (Ron DuFresne) Subject: Re: IMAP4rev1 2000.283 allows access to system files an alternative, if these are pop/imap mail only accounts, is to give the accounts a shell of /dav/null. Then they can get e-mail, but, are not allowed to login or do much if anything else. Additionally, internal production servers should notbe playing pop/imap mail roles, at least not for external access. Thanks, Ron DuFresne On Sun, 11 Aug 2002, Kurt Seifried wrote: > Uh. This is EXPECTED behaviour, as in "yes, we know about it, it's designed > to do this, and has been doing this since the dawn of time". If you do not > like it you can: > > a) chroot the users to their home dir, which is a REAL pain in the ass if > their mail spool is in /var/spool/mail or something similar, you will also > need to copy various library files/etc in. > b) use a different imap server such as cyrus which uses an internal mail > store > > > Kurt Seifried, kurt@...fried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://seifried.org/security/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists