From owner-freebsd-isp  Tue Apr  8 08:54:45 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id IAA14752
          for isp-outgoing; Tue, 8 Apr 1997 08:54:45 -0700 (PDT)
Received: from phoenix.volant.org (phoenix.volant.org [205.179.79.193])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id IAA14747
          for <freebsd-isp@freebsd.org>; Tue, 8 Apr 1997 08:54:41 -0700 (PDT)
From: patl@Phoenix.Volant.ORG
Received: from asimov.Phoenix.Volant.ORG [205.179.79.65] 
	by phoenix.volant.org with smtp (Exim 1.59 #1)
	id 0wEdE2-0001fL-00; Tue, 8 Apr 1997 08:54:26 -0700
Received: from localhost by asimov.Phoenix.Volant.ORG (5.x/SMI-SVR4)
	id AA11881; Tue, 8 Apr 1997 08:54:32 -0700
Date: Tue, 8 Apr 1997 08:54:32 -0700 (PDT)
Reply-To: patl@Phoenix.Volant.ORG
Subject: Re: CERT Advisory on IMAP and POP
To: freebsd-isp@freebsd.org
In-Reply-To: <Pine.BSF.3.95.970407154805.16951A-100000@air.infinetgroup.com>
Message-Id: <ML-2.3.860514872.4851.patl@asimov.phoenix.volant.org>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I note that this vulnerability is based on the need to run the
IMAP/POP daemon as root.  That should mean that the cyrus IMAP
server, and its POP daemon are immune.  They run as special
user 'cyrus'; and all mailboxes belong to that user.  It may
be vulnerable to allowing users to run as 'cyrus', which would
open mailboxes to tampering; but shouldn't open any further
vulnerabilities.  Although, you'll probably want to modify the
standard installation to remove owner-write permission from
the binaries in /usr/cyrus/bin.



-Pat