Re: IMAP security
On Mon, 5 Nov 2001, Antti Tolamo wrote:
>
> Just noticed something odd, not sure is this
> a security problem or what.
>
> I have Debian potato server for own use , where I few days
> ago installed IMAP 4.7c-1 because WAP email reading PHP/WML script
> from:
>
Ugh that's old. Get 2001a.
> http://e-sphere.net/
>
> needs it.
>
>
>
> Just few minutes ago I tried to fetch mail from one account
> using Windows Eudora 5.1. I was checking multiple
> times imap box to see has one test message come there.
>
> And surprise suddenny I can seewhole contents
> directory of /var/www from Eudora.
>
> I can inspect invidual files, inspect directories
> through Eudora folders, I even see who owns the files( but I'm not
> sure is it group or owner). Can't delete files or change them
> however.
>
I've said it before and I'll say it again. Giving a user with a shell
account IMAP access is just like giving them telnet or ssh access. All
the same security concerns and practices apply.
There are some ways around it though.
1. Don't give users shell access on your mail server. Their home
directories should contain nothing but mailboxes.
2. Configure the imap server to restrict the visible namespace. UWs'
imapd can be compiled to chroot the user upon login. (This is not enabled
in the Debian package by default though. You have to recompile.) This
can have its' own problems if the user also has a shell acount.
3. Use an imap server like that avoids using the filesystem altogether
for the mail store. It uses a database which also has problems if you
need non-cyrus access to mail.
Personally, I don't think it's really a big deal for most people. A
malicious user can't do anything through imap they couldn't do through
their shell account.
--
Jaldhar H. Vyas <jaldhar@debian.org>
Reply to: