In imap-4.7-5.i386.rpm if I do Create new mail folder, select root server and put /tmp/DIR/file as a mailfolder the imap server will create a directory DIR int /tmp and file "file" inside DIR. This way (by starting a folder with a /) any user can access any file in the system, not only those which are in the mail directories. My question is: is this a security hole or normal behavior?
Created attachment 272 [details] env_unix patch
What I did I put + /* Do not allow .. and / even for registered users, + * this way every user will be able to read files + * only in mail directories. + */ + if (strstr (name,"..") || *name=='/' || *name=='.' ) return NIL; + to make sure users can not access any files. May be this will disable some special sharing, but this way I get what I want - only mail directories can be accessed. Also it is very convinient to add mail/ prefix to the imap folders, so only mail (and not all files) will be exported to imap access. Another thing - because RedHat has user private groups it is very convinient to put + /* default file protection. make 0660 + for files because of on redhat we have + private groups. */ +static long mbx_protection = 0660; + /* default directory protection make 0770 + for directories because of on redhat + we have private groups. */ +static long dir_protection = 0770; /* default lock file protection */ which simplify folders sharing. If a user access a folder ~anotheruser/folder then, if anotheruser has this user as a private group member all mail can be easily shared. This is very convinient. For orginary situation - user private group will enforce the permissions. If you decide to do this you will also need the patch below to enforce right mask for the directories. And also, the qmail part of the patch (~/Mailbox) can be ignored for sendmail. --- imap-4.7/src/osdep/unix/dummy.c.orig Thu Oct 7 16:29:30 1999 +++ imap-4.7/src/osdep/unix/dummy.c Fri May 26 08:39:42 2000 @@ -393,6 +393,8 @@ long ret = NIL; char *t = strrchr (path,'/'); int wantdir = t && !t[1]; + mode_t oldmask; + if (wantdir) *t = '\0'; /* flush trailing delimiter for directory */ if (s = strrchr (path,'/')) { /* found superior to this name? */ c = *++s; /* remember first character of inferior */ @@ -402,6 +404,10 @@ !dummy_create_path (stream,path)) return NIL; *s = c; /* restore full name */ } + + /* set umask to 000 so we can create rw-rw---- files. */ + oldmask=umask(0); + if (wantdir) { /* want to create directory? */ ret = !mkdir (path,(int) mail_parameters (NIL,GET_DIRPROTECTION,NIL)); *t = '/'; /* restore directory delimiter */ @@ -414,6 +420,9 @@ sprintf (tmp,"Can't create mailbox node %s: %s",path,strerror (errno)); mm_log (tmp,ERROR); } + /** Restore umask. */ + umask(oldmask); + return ret; /* return status */ }
This is a response I received from IMAP author: I replaced my test if (strstr (name,"..") || *name=='/' || *name=='.' ) return NIL; to one Mark proposed (see below). Note, that his test also checkes string length. Subject: re: is this a security problem in imap 4.7? Date: Fri, 26 May 2000 15:07:34 -0700 (PDT) From: Mark Crispin <MRC.EDU> To: Vladislav Malyshkin <vmalyshkin> On Fri, 26 May 2000 12:43:09 -0400, Vladislav Malyshkin wrote: > /tmp/DIR/file > as a mail folder This is normal behavior. The IMAP server is just an application, and can access any file that the user can. At this point, it is not running as root, so it can not access files which are protected against the user. If you want to disable this behavior, look at routine mailboxfile() in env_unix.c. Modify it to do what you want, e.g. changing: /* check invalid name */ if (!name || !*name || (*name == '{') || (strlen (name) > NETMAXMBX)) return NIL; to be something like: /* check invalid name */ if (!name || !*name || (*name == '{') || (*name == '/') || (strlen (name) > NETMAXMBX) || strstr (name,"..") || strstr (name,"//") || strstr (name,"/~")) return NIL;
Your solution seems to make the most sense. If you have a server that is strictly suppost to serve mail to users without shells or any other kind of access then letting them create folders anywhere writable by that user (i.e. /tmp /var/tmp /var/spool/fax/outgoing...tons more) makes no sense. Of course other more serious concerns could be drawn from this as well. -Stan Bubrouski
I talked about similar problems in bug #11696 which of course is still listed as new...of course this problem doesn't concern me as much as the buffer overflows reported over almost two months ago that have yet to be fixed...people getting remote shells is nothing to laugh about. Red Hat where are you!!!
Also, about buffer overflows mosf of them (if any left) were fixed in imap-4.7c2.tar.Z RedHat uses imap-4.7.tar.Z The imap-4.7c2.tar.Z is available from ftp://ftp.cac.washington.edu/mail/ If you do diff between two these trees you will see that most of the difference in imap-4.7c2.tar.Z compared to imap-4.7.tar.Z (which is used in RedHat) is a bunch of added length checks in the functions.
assigned to the new owner
Created attachment 2294 [details] patch1
Created attachment 2295 [details] patch2
Created attachment 2296 [details] patch3
Latest errata shouldn't have these problems. Please verify and I'll close ERRATA.
No, iimap-2000c-10 does not fix it. To fix it a patch https://bugzilla.redhat.com/bugzilla/showattachment.cgi?attach_id=2296 should be applied. Also, I would recommend to use more general patch https://bugzilla.redhat.com/bugzilla/showattachment.cgi?attach_id=2294 which would allow mailbox sharing when unix permissions allow to to this.
Also, there is another possible security problem with imap. It stores all mailfolders in the home directory where .bashrc , .Xauthority .forward and etc are located. This way from imap one can modify these files (just create a mailbox with such name) and gain shell access even if it is not allowed. The best way to solve this problem is to put all mailboxes to the special directory ~/mail same thing as PINE does. to do this just add an option MAILSUBDIR=\"mail\" to EXTRACFLAGS in imap.spec and add mail directory to /etc/skel/ This is not 100% compatitable with how it was before on RedHat, but other way the mail just interferes with everything else.
Not sure what the status of this is, but bouncing back to assigned for the developer to make comments.
Comment on attachment 2294 [details] patch1 Comment describing patch1: This is a patch which: 1. makes a check for folder name. 2. sets permissions so users can share folders ~username/folder will access username's filder folder. permissions are check via standard unix permissions. On RedHat with user private group everything should be OK
Comment on attachment 2295 [details] patch2 Comment describing patch2: This patch moves mailfolders from ~ to ~/mail, thus makes ~ much less cluttered with mail. But I am not completely sure this is the right thing for RedHat. If you decide to make ~ less cluttered - add mail/ directory to /etc/skel/ and set permission rwxrws--- to /etc/skel/mail/
Comment on attachment 2296 [details] patch3 Comment describing patch3: This is a minimal patch (if you decide to reject my perm_dir patch, which also allows very nice feature to share mail between users - the most often used function of MS-Exchange). This minimal patch is just disables creation of mail folders in any directory but mail directory.