Mailbox vulnerable?
Hongwei Li
hongwei at morpheus.wustl.edu
Mon Jun 28 19:04:42 UTC 2004
> The bug has already been reported:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
>
Thanks! This is very useful! What do you think about the comment in the
report page, especailly the 3rd paragraph:
Additional Comment #3 From Mike A. Harris on 2004-02-27 04:58 -------
This warning message from UW imap is 100% bogus. Red Hat does not
use the same locking mechanism that is recommended by the UW imap
people, because it is inherently more insecure.
All software on the system which accesses the mail spool files
must agree upon a common locking mechanism, and must be patched
if necessary to all use one single mechanism. Red Hat has been
using the same mechanism in all OS releases for many years now,
and we have patched UW imap, and UW pine to use our system-wide
mechanism for some time now.
UW suggests that the mail spool directory should be mode 1777,
which is incredibly insane, as that makes the mail spool directory
*world writeable*, and thus subject to local DOS attacks. That
is totally unacceptable in a modern Linux/UNIX OS.
The proper fix for this bug, is to patch the UW imap sources to
remove this bogus warning/error message, because we do not use
the insecure method that UW recommends for mail locking. Doing
otherwise, would require patching every single MTA, MDA, and MUA
in the entire distribution to do it the ensecure world-writeable
way, and we decided a very long time ago that that was
not acceptable.
More information about the fedora-list
mailing list