[Imap-uw] Does wu-imapd allow users to run any other code?
mrc at CAC.Washington.EDU
Thu Oct 13 10:52:53 PDT 2005
On Thu, 13 Oct 2005, Johann 'Myrkraverk' Oskarsson wrote:
> I've recently patched rssh, to allow imapd in addition to the other
> commands, for imap over ssh. Since rssh, a shell, is meant to limit
> users to a pre-defined set of possible commands, like scp and sftp,
> and not shell acess, I was wondering if there were any additional
> issues with wu imapd? That is, is it possible, with the use of
> command line options, or imap commands, to execute some code on the
> server? And therefore bypass what rssh is meant to achieve?
UW imapd does not have any command line options or IMAP commands to
execute some code on the server.
However, you should be aware that IMAP commands are quite powerful. It is
therefore highly advisable that you secure your system such that non-root
users, even with shell access, are preventing from compromising your
system. Among other things, this means that you should use appropriate
file protections to ensure that unprivileged users can not write into
critical system directories (one UNIX system actually allowed ordinary
users to create files in /etc !!) or read security-sensitive files.
Also, to be certain that your copy of imapd has no known security issues,
you should ensure that you have the latest release version of UW imapd.
Currently, the latest release is imap-2004g.
If you do not have imap-2004g, you can get it from:
-- Mark --
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
More information about the Imap-uw