Date: Tue, 8 Apr 1997 08:54:32 -0700 (PDT) From: patl@Phoenix.Volant.ORG To: freebsd-isp@freebsd.org Subject: Re: CERT Advisory on IMAP and POP Message-ID: <ML-2.3.860514872.4851.patl@asimov.phoenix.volant.org> In-Reply-To: <Pine.BSF.3.95.970407154805.16951A-100000@air.infinetgroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I note that this vulnerability is based on the need to run the IMAP/POP daemon as root. That should mean that the cyrus IMAP server, and its POP daemon are immune. They run as special user 'cyrus'; and all mailboxes belong to that user. It may be vulnerable to allowing users to run as 'cyrus', which would open mailboxes to tampering; but shouldn't open any further vulnerabilities. Although, you'll probably want to modify the standard installation to remove owner-write permission from the binaries in /usr/cyrus/bin. -Pat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ML-2.3.860514872.4851.patl>