Mailbox vulnerable?
Olga
olga at urbantimes.net
Mon Jun 28 19:12:06 UTC 2004
Well, you can either take Red Hat point of view or the
University of Washington. You can leave the permissions the
way they are, but you will have those messages in the log.
If they don't bother you that's ok, but they bugged me.
On one test box I also tried installing an older version of
imap over the top and that solved the problem for me as
well. I didn't have to change permission and there were no
messages.
Quoting Hongwei Li <hongwei at morpheus.wustl.edu>:
> > The bug has already been reported:
> >
> >
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=103479
> >
>
> Thanks! This is very useful! What do you think about
> the comment in the
> report page, especailly the 3rd paragraph:
>
> Additional Comment #3 From Mike A. Harris on 2004-02-27
> 04:58 -------
>
> This warning message from UW imap is 100% bogus. Red Hat
> does not
> use the same locking mechanism that is recommended by the
> UW imap
> people, because it is inherently more insecure.
>
> All software on the system which accesses the mail spool
> files
> must agree upon a common locking mechanism, and must be
> patched
> if necessary to all use one single mechanism. Red Hat
> has been
> using the same mechanism in all OS releases for many
> years now,
> and we have patched UW imap, and UW pine to use our
> system-wide
> mechanism for some time now.
>
> UW suggests that the mail spool directory should be mode
> 1777,
> which is incredibly insane, as that makes the mail spool
> directory
> *world writeable*, and thus subject to local DOS attacks.
> That
> is totally unacceptable in a modern Linux/UNIX OS.
>
> The proper fix for this bug, is to patch the UW imap
> sources to
> remove this bogus warning/error message, because we do
> not use
> the insecure method that UW recommends for mail locking.
> Doing
> otherwise, would require patching every single MTA, MDA,
> and MUA
> in the entire distribution to do it the ensecure
> world-writeable
> way, and we decided a very long time ago that that was
> not acceptable.
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-list
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the fedora-list
mailing list