Date: Fri, 4 Dec 1998 19:51:34 +1300 (NZDT) From: Andrew McNaughton <andrew@squiz.co.nz> To: FreeBSD Security <security@FreeBSD.ORG> Subject: IMAP (was Re: mail.local) Message-ID: <Pine.BSF.4.05.9812041935300.27408-100000@aniwa.sky> In-Reply-To: <55915.912748357@gjp.erols.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 4 Dec 1998, Gary Palmer wrote: > Robert Watson wrote in message ID > <Pine.BSF.3.96.981203123334.12137A-100000@fledge.watson.org>: > > On Thu, 3 Dec 1998, Bill Woodford wrote: > > say, pine. My feeling is more and more that we should be using protocols > > such as IMAP for mail access rather than try to fit everything into the > > Please don't use IMAP. It is a bloated ``designed by committee'' protocol and > looks like a nightmare to impliment in an efficient (scalable) fashion. Makes > me want to write my own protocol :( When I read the IMAP rfc some time back, It took me about 15 minutes to realise that there'd be lots of machines out there with open guest accounts for things like ftp:ftp and guest:guest and that logging in as one of these would give (unpriviledged) read access to any file in the system. These users would normally not be expected to have access to the whole file tree, and in many cases the systems running mail servers are configured without the expectation of untrusted users rummaging through the file system. I've been told that some IMAP servers have good restrictions on what file areas can be accessed by what users, but I don't know which ones. I contacted the people that put out the imap-uw software and the guy was pretty prickly about my suggesting it was a problem. He was of the opinion that world read perms on files mean that it's OK for the world to have read access. So, does anyone know an IMAP server which can be set up to limit which areas of the file system are accessible, and preferably that can run of a passwd file other than the system one? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812041935300.27408-100000>