Mailbox vulnerable?

Jeff Vian jvian10 at charter.net
Tue Jun 29 01:02:35 UTC 2004 

On Mon, 2004-06-28 at 14:12, Olga wrote:
> Well, you can either take Red Hat point of view or the
> University of Washington. You can leave the permissions the
> way they are, but you will have those messages in the log.
> If they don't bother you that's ok, but they bugged me.
> On one test box I also tried installing an older version of
> imap over the top and that solved the problem for me as
> well. I didn't have to change permission and there were no
> messages.
> 

Probably the one giving the messages came from some source other than
RedHat, and did not have their patches applied.  The age of the package
would not really be a factor, since the ones from redhat were patched
and the ones from other sources were not.
 
> 
> Quoting Hongwei Li <hongwei at morpheus.wustl.edu>:
> 
> > > The bug has already been reported:
> > >
> > >
> >
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
> > >
> >
> > Thanks!  This is very useful!  What do you think about
> > the comment in the
> > report page, especailly the 3rd paragraph:
> >
> > Additional Comment #3 From Mike A. Harris on 2004-02-27
> > 04:58 -------
> >
> > This warning message from UW imap is 100% bogus.  Red Hat
> > does not
> > use the same locking mechanism that is recommended by the
> > UW imap
> > people, because it is inherently more insecure.
> >
> > All software on the system which accesses the mail spool
> > files
> > must agree upon a common locking mechanism, and must be
> > patched
> > if necessary to all use one single mechanism.  Red Hat
> > has been
> > using the same mechanism in all OS releases for many
> > years now,
> > and we have patched UW imap, and UW pine to use our
> > system-wide
> > mechanism for some time now.
> >
> > UW suggests that the mail spool directory should be mode
> > 1777,
> > which is incredibly insane, as that makes the mail spool
> > directory
> > *world writeable*, and thus subject to local DOS attacks.
> >  That
> > is totally unacceptable in a modern Linux/UNIX OS.
> >
> > The proper fix for this bug, is to patch the UW imap
> > sources to
> > remove this bogus warning/error message, because we do
> > not use
> > the insecure method that UW recommends for mail locking.
> > Doing
> > otherwise, would require patching every single MTA, MDA,
> > and MUA
> > in the entire distribution to do it the ensecure
> > world-writeable
> > way, and we decided a very long time ago that that was
> > not acceptable.
> >
> >
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe:
> > http://www.redhat.com/mailman/listinfo/fedora-list
> >
> 
> 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>

More information about the fedora-list mailing list