Re: UW-IMAP vulnerability?

Mark Crispin Fri, 13 Feb 2004 09:54:44 -0800

By default, UW imapd allows access to any file that the logged in userid has access. If this is a "vulnerability" in IMAP, then it is a vulnerability in the shell, in FTP, in scp, in NFS, and in anything else that allows file access.

If you wish to restrict user access to certain spaces, take a look at the restrictBox settings in imap-????/src/osdep/unix/env_unix.c. restrictBox is a bitmask which can be set to RESTRICTROOT (to deny access to rooted names) and/or RESTRICTOTHERUSER (to deny access to "~"). If you set RESTRICTOTHERUSER you probably want to set RESTRICTROOT as well.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: UW-IMAP vulnerability?

Reply via email to