bug-mailutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: imap4d LIST and DELETE


From: Sergey Poznyakoff
Subject: Re: imap4d LIST and DELETE
Date: Wed, 23 May 2001 14:12:02 +0300

> Ok, but it is a little tricky:
>
> 1- The implementation to "jail" file access to "/home/user/Mail"  for example:

Suppose we map '/' to '/home'. '~username' is then mapped to '/home/username'.
Then

  a001 LIST ""  ../../../../../../../../../../etc/passwd
  a002 LIST ""  ../../../../../../../../../../Mail/junk
  a003 DELETE //../../../../../../home/user/Mail/junk
  a004 LIST "" /home/user/Mail/junk
  a005 LIST "" /home/user/junk

will definitely fail (and a good thing a001 fails ain't it? :)

  a006 LIST "" ~user/Mail/junk
  a007 LIST "" ~/Mail/junk
  a008 LIST "" ~/junk

will all succeed. Furthermore:

  a009 LIST "" ../otheruser/Mail
  a010 LIST "" ~otheruser/Mail

will also succeed, provided that /home/otheruser is readable for `user'.

> 3- You may wish to provide shared mailboxes access, like
>    ~bugzilla/Mail/PRs
>   where users can access different PR's etc ...
<snip>
> 5- What about users with a second account:
>
>    a00 SELECT ~mysecond_account/Mail/sent

Again, under the same supposition 

  a011 LIST "/" *

will list the contents of /home. Thus ~bugzilla/Mail/PRs will work.
The same for users with a second account.

> 2- Using chroot () is probably not a good idea, because INBOX
>   still could map to /var/mail/user.
Agreed. But INBOX being the only exception from the mapping rule,
it can be implemented without chroot(), I guess. 

> 4- point (3) does not go well with your idea of only listing
>   the files own by user.   Imap servers are use
Yes, you are right. At this point I was way too restrictive. 

The exact mapping of '/' could be made configurable. For example:
imap4d --home=/var/users.

What do you think about it?

Cheers,
Sergey
 







reply via email to

[Prev in Thread] Current Thread [Next in Thread]