Bug 11696 - mailfolders in any directory
Summary: mailfolders in any directory
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: imap   
(Show other bugs)
Version: 7.0
Hardware: All Linux
Target Milestone: ---
Assignee: John Dennis
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-05-26 20:28 UTC by mal
Modified: 2008-06-07 09:44 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-06-21 21:42:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
env_unix patch (2.21 KB, patch)
2000-05-26 21:55 UTC, mal
no flags Details | Diff
patch1 (2.68 KB, patch)
2000-08-09 14:05 UTC, mal
no flags Details | Diff
patch2 (773 bytes, patch)
2000-08-09 14:18 UTC, mal
no flags Details | Diff
patch3 (801 bytes, patch)
2000-08-09 14:30 UTC, mal
no flags Details | Diff

Description mal 2000-05-26 20:28:32 UTC
In imap-4.7-5.i386.rpm
if I do
Create new mail folder,
select root server
and put
as a mailfolder

the imap server will create
a directory DIR int /tmp
and file "file" inside DIR.
This way (by starting a folder with a /)
any user can access any file in the system,
not only those which are in the mail directories.

My question is:
is this a security hole or normal behavior?

Comment 1 mal 2000-05-26 21:55:59 UTC
Created attachment 272 [details]
env_unix patch

Comment 2 mal 2000-05-26 22:04:59 UTC
What I did I put
+  /* Do not allow .. and / even for registered users,
+   * this way every user will be able to read files
+   * only in mail directories.
+   */
+  if (strstr (name,"..") || *name=='/' || *name=='.' ) return NIL;

to make sure users can not access any files.
May be this will disable some special sharing,
but this way I get what I want - only mail directories can be accessed.
Also it is very convinient to add mail/ prefix to
the imap folders, so only mail (and not all files)
will be exported to imap access.

Another thing - because RedHat has user private
groups it is very convinient to
+                               /* default file protection. make 0660
+                                  for files because of on redhat we have
+                                  private groups. */
+static long mbx_protection = 0660;
+                               /* default directory protection make 0770
+                                   for directories because of on redhat
+                                  we have private groups. */
+static long dir_protection = 0770;
                                /* default lock file protection */

which simplify folders sharing.
If a user access a folder
then, if anotheruser has this user as a private group member
all mail can be easily shared. This is very convinient.
For orginary situation - user private group will
enforce the permissions.
If you decide to do this you will also need
the patch below to enforce right mask for the directories.
And also, the qmail part of the patch (~/Mailbox) can be ignored for sendmail.

--- imap-4.7/src/osdep/unix/dummy.c.orig        Thu Oct  7 16:29:30 1999
+++ imap-4.7/src/osdep/unix/dummy.c     Fri May 26 08:39:42 2000
@@ -393,6 +393,8 @@
   long ret = NIL;
   char *t = strrchr (path,'/');
   int wantdir = t && !t[1];
+  mode_t oldmask;
   if (wantdir) *t = '\0';      /* flush trailing delimiter for directory */
   if (s = strrchr (path,'/')) {        /* found superior to this name? */
     c = *++s;                  /* remember first character of inferior */
@@ -402,6 +404,10 @@
        !dummy_create_path (stream,path)) return NIL;
     *s = c;                    /* restore full name */
+  /* set umask to 000 so we can create rw-rw---- files. */
+  oldmask=umask(0);
   if (wantdir) {               /* want to create directory? */
     ret = !mkdir (path,(int) mail_parameters (NIL,GET_DIRPROTECTION,NIL));
     *t = '/';                  /* restore directory delimiter */
@@ -414,6 +420,9 @@
     sprintf (tmp,"Can't create mailbox node %s: %s",path,strerror (errno));
     mm_log (tmp,ERROR);
+  /** Restore umask. */
+  umask(oldmask);
   return ret;                  /* return status */

Comment 3 mal 2000-05-26 22:37:59 UTC
This is a response I received from IMAP author:

I replaced my test
if (strstr (name,"..") || *name=='/' || *name=='.' ) return NIL;
to one Mark proposed (see below).
Note, that his test also checkes string length.

Subject:  re: is this a security problem in imap 4.7?
Date: Fri, 26 May 2000 15:07:34 -0700 (PDT)
From: Mark Crispin <MRC@CAC.Washington.EDU>
To: Vladislav Malyshkin <vmalyshkin@columbusgrp.com>

On Fri, 26 May 2000 12:43:09 -0400, Vladislav Malyshkin wrote:
> /tmp/DIR/file
> as a mail folder

This is normal behavior.  The IMAP server is just an application, and can
access any file that the user can.  At this point, it is not running as root,
so it can not access files which are protected against the user.

If you want to disable this behavior, look at routine mailboxfile() in
env_unix.c.  Modify it to do what you want, e.g. changing:
                                /* check invalid name */
  if (!name || !*name || (*name == '{') || (strlen (name) > NETMAXMBX))
    return NIL;
to be something like:
                                /* check invalid name */
  if (!name || !*name || (*name == '{') || (*name == '/') ||
      (strlen (name) > NETMAXMBX) ||
      strstr (name,"..") || strstr (name,"//") || strstr (name,"/~"))
    return NIL;

Comment 4 SB 2000-06-21 01:37:08 UTC
Your solution seems to make the most sense.  If you have a server that
is strictly suppost to serve mail to users without shells or any other
kind of access then letting them create folders anywhere writable by
that user (i.e. /tmp /var/tmp /var/spool/fax/outgoing...tons more) makes
no sense.  Of course other more serious concerns could be drawn from this
as well.

-Stan Bubrouski

Comment 5 SB 2000-06-21 01:40:16 UTC
I talked about similar problems in bug #11696 which of course is still
listed as new...of course this problem doesn't concern me as much as
the buffer overflows reported over almost two months ago that have
yet to be fixed...people getting remote shells is nothing to laugh about.
Red Hat where are you!!!

Comment 6 mal 2000-07-13 18:28:21 UTC
Also, about buffer overflows
mosf of them (if any left)
were fixed in imap-4.7c2.tar.Z 
RedHat uses imap-4.7.tar.Z
The imap-4.7c2.tar.Z is available from ftp://ftp.cac.washington.edu/mail/
If you do diff between two these trees you will see that
most of the difference in imap-4.7c2.tar.Z
compared to imap-4.7.tar.Z (which is used in RedHat)
is a bunch of added length checks in the functions.

Comment 7 Cristian Gafton 2000-08-09 02:28:49 UTC
assigned to the new owner

Comment 8 mal 2000-08-09 14:05:16 UTC
Created attachment 2294 [details]

Comment 9 mal 2000-08-09 14:18:11 UTC
Created attachment 2295 [details]

Comment 10 mal 2000-08-09 14:30:12 UTC
Created attachment 2296 [details]

Comment 11 Mike A. Harris 2001-08-13 12:23:52 UTC
Latest errata shouldn't have these problems.  Please verify and
I'll close ERRATA.

Comment 12 mal 2001-08-13 16:40:03 UTC
No, iimap-2000c-10 does not fix it.
To fix it a patch
should be applied.

Also, I would recommend to use more general patch

which would allow mailbox sharing when unix permissions
allow to to this.

Comment 13 mal 2001-08-13 16:46:41 UTC
Also, there is another possible security problem with imap.
It stores all mailfolders in the home directory
where .bashrc , .Xauthority .forward and etc are located.
This way from imap one can modify these files (just create a mailbox with such
and gain shell access even if it is not allowed.

The best way to solve this problem is to put all mailboxes to the 
special directory ~/mail same thing as PINE does.
to do this just add an option  MAILSUBDIR=\"mail\"
to EXTRACFLAGS in imap.spec
and add mail directory to /etc/skel/
This is not 100% compatitable with how it was before on RedHat,
but other way the mail just interferes with everything else.

Comment 14 Jay Turner 2003-04-14 18:47:43 UTC
Not sure what the status of this is, but bouncing back to assigned for the
developer to make comments.

Comment 18 David Lawrence 2008-01-25 19:51:58 UTC
Comment on attachment 2294 [details]

Comment describing patch1:

This is a patch which: 1. makes a check for folder name. 2. sets permissions so
users can share folders ~username/folder will access username's filder folder.
permissions are check via standard unix permissions. On RedHat with user
private group everything should be OK

Comment 19 David Lawrence 2008-01-25 19:52:40 UTC
Comment on attachment 2295 [details]

Comment describing patch2:

This patch moves mailfolders from ~ to ~/mail, thus makes ~ much less cluttered
with mail. But I am not completely sure this is the right thing for RedHat. If
you decide to make ~ less cluttered - add mail/ directory to /etc/skel/ and set
permission rwxrws--- to /etc/skel/mail/

Comment 20 David Lawrence 2008-01-25 19:53:18 UTC
Comment on attachment 2296 [details]

Comment describing patch3:

This is a minimal patch (if you decide to reject my perm_dir patch, which also
allows very nice feature to share mail between users - the most often used
function of MS-Exchange). This minimal patch is just disables creation of mail
folders in any directory but mail directory.

Note You need to log in before you can comment on or make changes to this bug.