[prev in list] [next in list] [prev in thread] [next in thread]
List: c-client
Subject: Re: Securing uw-imapd
From: Mark Crispin <mrc () CAC ! Washington ! EDU>
Date: 2001-09-28 2:38:56
[Download RAW message or body]
On Tue, 25 Sep 2001, Przemyslaw Wegrzyn wrote:
> I have recentyl discovered that user can do something like this:
>
> 00 LOGIN user pass
> 00 SELECT /etc/passwd
> 00 FETCH 1 RFC822.TEXT
That is correct. A user of a default-configured imapd can access any file
that he can access from the shell.
> How can I restrict users to access files below their homes only ?
Refer to imap-2001/docs/CONFIG for a pointer to the routine which
translates a mailbox name to a file name. Hack that routine so that any
unapproved name doesn't work.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic