On Mon, 5 Nov 2001, Antti Tolamo wrote: > > Just noticed something odd, not sure is this > a security problem or what. > > I have Debian potato server for own use , where I few days > ago installed IMAP 4.7c-1 because WAP email reading PHP/WML script > from: >
Ugh that's old. Get 2001a. > http://e-sphere.net/ > > needs it. > > > > Just few minutes ago I tried to fetch mail from one account > using Windows Eudora 5.1. I was checking multiple > times imap box to see has one test message come there. > > And surprise suddenny I can seewhole contents > directory of /var/www from Eudora. > > I can inspect invidual files, inspect directories > through Eudora folders, I even see who owns the files( but I'm not > sure is it group or owner). Can't delete files or change them > however. > I've said it before and I'll say it again. Giving a user with a shell account IMAP access is just like giving them telnet or ssh access. All the same security concerns and practices apply. There are some ways around it though. 1. Don't give users shell access on your mail server. Their home directories should contain nothing but mailboxes. 2. Configure the imap server to restrict the visible namespace. UWs' imapd can be compiled to chroot the user upon login. (This is not enabled in the Debian package by default though. You have to recompile.) This can have its' own problems if the user also has a shell acount. 3. Use an imap server like that avoids using the filesystem altogether for the mail store. It uses a database which also has problems if you need non-cyrus access to mail. Personally, I don't think it's really a big deal for most people. A malicious user can't do anything through imap they couldn't do through their shell account. -- Jaldhar H. Vyas <[EMAIL PROTECTED]>
