Full Disclosure mailing list archives
Re: IMAP4rev1 2000.283 allows access to system files
From: full-disclosure () lists netsys com (Ron DuFresne)
Date: Sun, 11 Aug 2002 17:06:56 -0500 (CDT)
an alternative, if these are pop/imap mail only accounts, is to give the accounts a shell of /dav/null. Then they can get e-mail, but, are not allowed to login or do much if anything else. Additionally, internal production servers should notbe playing pop/imap mail roles, at least not for external access. Thanks, Ron DuFresne On Sun, 11 Aug 2002, Kurt Seifried wrote:
Uh. This is EXPECTED behaviour, as in "yes, we know about it, it's designed to do this, and has been doing this since the dawn of time". If you do not like it you can: a) chroot the users to their home dir, which is a REAL pain in the ass if their mail spool is in /var/spool/mail or something similar, you will also need to copy various library files/etc in. b) use a different imap server such as cyrus which uses an internal mail store Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- IMAP4rev1 2000.283 allows access to system files Guy Cohen (Aug 10)
- IMAP4rev1 2000.283 allows access to system files Joao Gouveia (Aug 10)
- Re: IMAP4rev1 2000.283 allows access to system files Guy Cohen (Aug 11)
- Re: IMAP4rev1 2000.283 allows access to system files Kurt Seifried (Aug 11)
- Re: IMAP4rev1 2000.283 allows access to system files Ron DuFresne (Aug 11)
- Re: IMAP4rev1 2000.283 allows access to system files Guy Cohen (Aug 11)
- IMAP4rev1 2000.283 allows access to system files Joao Gouveia (Aug 10)