[Vmail-discuss] Webmail for vmail-sql
Paul Warren
pdw@xxxxxxxxxxxxx
Wed, 29 Aug 2001 11:02:14 +0100
On Wed, Aug 29, 2001 at 10:38:53AM +0100, Chris Lightfoot wrote:
> On Wed, Aug 29, 2001 at 10:07:05AM +0100, Paul Warren wrote:
> > On Wed, Aug 29, 2001 at 09:59:42AM +0200, Marcin Sochacki wrote:
> > [virtual webmail]
>
> > > P.S. Chris and The Team: how about hacking some IMAP
> > > server to support Vmail-SQL authentication?
> >
> > Whilst this would undoubtedly be a nice endpoint, getting there is not -
> > the wu-imapd code is (according to Chris) pretty horrid.
>
> It's foul and deranged.
Yeah - now that I remember, the one time that I have looked at any of
the code I found that the 20 lines that I looked at:
i) were foul and deranged
ii) contained at least one simple crash bug.
> Yeah. The nested folders problem is easily solved by
> escaping; the others are not. I believe that the WU people
> have asserted that they do not very much care about
> security holes which allow people to get a shell after
> authentication (i.e. once the daemon is running as a
> normal user), which is OK where all users have shells,
> pretty poor when not, and obviously disastrous if numerous
> UNIX users share mailspools.
Indeed.
> [Thinks....] This particular security problem is easy to
> solve if we require that user foo@example.com's mail goes
> in the directory /var/spool/mail/SERVERS/example.com/foo/;
> then we can (modulo some subtleties) use chroot and
> assume, pretty much, that everything will be safe. (It's
> easy to break out of a chroot if you are the superuser,
> hard otherwise.) But this is wildly ugly.
I'm not sure that it's all that ugly...
Paul