[prev in list] [next in list] [prev in thread] [next in thread] 

List:       c-client
Subject:    Re: Securing uw-imapd
From:       Mark Crispin <mrc () CAC ! Washington ! EDU>
Date:       2001-09-28 2:38:56
[Download RAW message or body]

On Tue, 25 Sep 2001, Przemyslaw Wegrzyn wrote:
> I have recentyl discovered that user can do something like this:
>
> 00 LOGIN user pass
> 00 SELECT /etc/passwd
> 00 FETCH 1 RFC822.TEXT

That is correct.  A user of a default-configured imapd can access any file
that he can access from the shell.

> How can I restrict users to access files below their homes only ?

Refer to imap-2001/docs/CONFIG for a pointer to the routine which
translates a mailbox name to a file name.  Hack that routine so that any
unapproved name doesn't work.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.

[prev in list] [next in list] [prev in thread] [next in thread]