Package: uw-imapd Severity: wishlist Version: 7:2002edebian1-11 Tags: security
CAN-2002-1782 describes a security hole in uw-imapd's default configuration: If a mail server has users who do not have shell access, they can access arbitrary files (which files is not specified; may be limited to mailboxes, may be more) which their user account has read access for, but which they have no other means of access. This is documented in the FAQ at http://www.washington.edu/imap/IMAP-FAQs/index.html#5.1 , which also explains how to recompile uw-imapd to enable other behavior, icluding an option to limit file accesses to a user's home directory. The problem is that the debian binary package is not built with any of these security features turned on, and that they require a recompile to enable. And of course that they cannot really be turned on by default without breaking existing servers. I suggest making the options configurable in a config file or something, so that users who need the added security features can easily turn them on. -- see shy jo
signature.asc
Description: Digital signature
