Index: [thread] [date] [subject] [author]
  From: David Harris <dharris@drh.net>
  To  : <imapvpop@davideous.com>
  Date: Tue, 11 Jan 2000 21:46:27 -0500

[background04] first run it with getpwnam replacement 2 of 2

Here is the second e-mail from my first run-in with a getpwnam replacement.
I asked this guy to try breaking down the security in this message and he
never got back to me. I later got verification from another guy that this
is, in fact, insecure. I'll post that e-mail soon enough.

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	David Harris [mailto:dharris@drh.net]
Sent:	Thursday, December 02, 1999 2:22 PM
To:	Darcy Buskermolen
Subject:	RE: Any Decent IMAP server? [single-uid interface]


> This patch has nothing to do with blackbox, I've never tried to limit the
> ".."'s however this is purely a fdiffrent mechinisim to get user/pass's
out
> of the "/etc/passwd" (in this case being done in Postgresql)

Blackbox as it was originally written was just a way of saying "this user
may not access files outside of a specific directory"... it was designed for
systems that has a NFS /var/spool/mail or home directories. There was then a
"blackbox" directory, say "/mnt1/mail" and each user had their own directory
inside of that, say, "/mnt1/mail/$USER". They were not allowed to access any
e-mail outside of this directory (even in their home directory) because it
might now be NFS safe.

I'm not using this feature of blackbox. I'm just using blackBox flag to make
c-client be strict an not allow them to access e-mail outside of their home
directory.

With your system, the blackBox flag is not set, so users are allowed to
specify ".." in their mailbox names. This means that if you are running
multiple e-mail users inside of one UID, they can all read each other's
e-mail.

I urge you to simply TRY breaking down the security walls this way. Assume
you have two e-mial users running as the same uid with the directories
"/mnt1/mail/usera" and "/mnt2/mail/userb". Assume that userb had a folder
named "folderb".. try logging in as usera, and then getting the mailbox
"../userb/folderb". From my source code understanding, I expect that this
will work and user a can read userb's e-mail.

Please try this and look at the source code to see if this will be a
problem.

> >Also, because your users are not black box, this may attempt to look for
a
> >/var/spool/mail/$USER file. Do you know what value
> >src/osdep/unix/env_unix.c:env_init sets for sysInbox?
>
> Off the top of my head no I do not.

I'm not exactly sure what the ramifications of this may be for you. For me,
allowing each LOCALIP to have users with the same names, it could be a big
problem.

 - David Harris
   Principal Engineer, DRH Internet Services



Index: [thread] [date] [subject] [author]