[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: imap4d LIST and DELETE
From: |
Sergey Poznyakoff |
Subject: |
Re: imap4d LIST and DELETE |
Date: |
Wed, 23 May 2001 14:12:02 +0300 |
> Ok, but it is a little tricky:
>
> 1- The implementation to "jail" file access to "/home/user/Mail" for example:
Suppose we map '/' to '/home'. '~username' is then mapped to '/home/username'.
Then
a001 LIST "" ../../../../../../../../../../etc/passwd
a002 LIST "" ../../../../../../../../../../Mail/junk
a003 DELETE //../../../../../../home/user/Mail/junk
a004 LIST "" /home/user/Mail/junk
a005 LIST "" /home/user/junk
will definitely fail (and a good thing a001 fails ain't it? :)
a006 LIST "" ~user/Mail/junk
a007 LIST "" ~/Mail/junk
a008 LIST "" ~/junk
will all succeed. Furthermore:
a009 LIST "" ../otheruser/Mail
a010 LIST "" ~otheruser/Mail
will also succeed, provided that /home/otheruser is readable for `user'.
> 3- You may wish to provide shared mailboxes access, like
> ~bugzilla/Mail/PRs
> where users can access different PR's etc ...
<snip>
> 5- What about users with a second account:
>
> a00 SELECT ~mysecond_account/Mail/sent
Again, under the same supposition
a011 LIST "/" *
will list the contents of /home. Thus ~bugzilla/Mail/PRs will work.
The same for users with a second account.
> 2- Using chroot () is probably not a good idea, because INBOX
> still could map to /var/mail/user.
Agreed. But INBOX being the only exception from the mapping rule,
it can be implemented without chroot(), I guess.
> 4- point (3) does not go well with your idea of only listing
> the files own by user. Imap servers are use
Yes, you are right. At this point I was way too restrictive.
The exact mapping of '/' could be made configurable. For example:
imap4d --home=/var/users.
What do you think about it?
Cheers,
Sergey
Re: imap4d LIST and DELETE, Sergey Poznyakoff, 2001/05/25