[6581] in bugtraq
Re: Vulnerability in HP OpenMail
daemon@ATHENA.MIT.EDU (Richi Jennings)
Thu Apr 23 12:37:47 1998
Date: Thu, 23 Apr 1998 14:31:07 +0100
Reply-To: richi@HP.COM
From: Richi Jennings <richi@HP.COM>
X-To: dej@INODE.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199804212235.SAA03972@ruff.inode.org>
dej wrote...
> The good news is that mail users have their own Unix UIDs on the server.
> The real problem is situations where the sysadmin has denied users regular
> login access to the mail server, possibly by putting "*" in the password
> field. This is standard practice as a security measure. If you have done
> this on your OpenMail server, then you may want to check your security
> measures carefully - your users can get the equivalent of shell whether you
> allow it or not.
This is a generic issue with any program that permits shell escapes. It is
generally-accepted good practice to set up UNIX users with an
appropriately-configured restricted shell. Relying on a '*' in the password
field is not sufficient--that only means "deny logon", not "deny arbitrary
shell command."
For even tighter security, the shell can be reset to /bin/true , but that would
not of course allow a user to call lp.
OpenMail administrators can also look into the OpenMail "print server"
functionality, particularly the documentation on the general.cfg setting
UAL_PRINT_SERVER_ONLY in the OpenMail Technical Guide.
Regards,
richi.
--
Richi Jennings <richi@hp.com> Phone: +44 (0)1344-365870 or HPT316-5870
OpenMail Outbound & Technical Pager: richi-beep@pwd.hp.com
HP Communications Software Oper. UK http://www.hp.com/go/openmail
