On Thu, 13 Oct 2005, Johann 'Myrkraverk' Oskarsson wrote:
I've recently patched rssh, to allow imapd in addition to the other
commands, for imap over ssh. Since rssh, a shell, is meant to limit
users to a pre-defined set of possible commands, like scp and sftp,
and not shell acess, I was wondering if there were any additional
issues with wu imapd? That is, is it possible, with the use of
command line options, or imap commands, to execute some code on the
server? And therefore bypass what rssh is meant to achieve?
UW imapd does not have any command line options or IMAP commands to
execute some code on the server.
However, you should be aware that IMAP commands are quite powerful. It is
therefore highly advisable that you secure your system such that non-root
users, even with shell access, are preventing from compromising your
system. Among other things, this means that you should use appropriate
file protections to ensure that unprivileged users can not write into
critical system directories (one UNIX system actually allowed ordinary
users to create files in /etc !!) or read security-sensitive files.
Also, to be certain that your copy of imapd has no known security issues,
you should ensure that you have the latest release version of UW imapd.
Currently, the latest release is imap-2004g.
If you do not have imap-2004g, you can get it from:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
_______________________________________________
Imap-uw mailing list
[email protected]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
