Bug 45124

Summary: uw-imapd creates world-writable tmp file
Product: Ports & Packages Reporter: Matthias Buelow <mkb>
Component: Individual Port(s)Assignee: Anders Nordby <anders>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.dat none

Description Matthias Buelow 2002-11-08 01:00:08 UTC 
The UW imap server (<ports>/mail/imap-uw) seems to create a world writable
file in /tmp, owned by the imap account user, where it records its PID:

# ls -l /tmp
total 6
-rw-rw-rw-  1 mlmkb  wheel    5 Nov  8 01:44 .20d05.60c0a
# cat /tmp/.20d05.60c0a 
63918
# ps uxp 63918
USER    PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
mlmkb 63918  0.0  0.1  1812 1248  ??  Is    1:44AM   0:00.02 imapd

There seems to be an advisory lock on the file (vi complains, for
example) but this is no protection at all; a simple echo >> f
will append to the file, for example.

The bug could be used to allocate disk blocks on behalf of another
user.  I don't know whether it could be used for further disruption
(such as replacing the pid in there with that of another process
owned by the user).

imapd version is IMAP4rev1 2001.315

Fix: 

Contact the uw-imapd maintainer for requesting a bug fix.
How-To-Repeat: 
See above.
Comment 1 Patrick Li freebsd_committer freebsd_triage 2002-11-23 19:18:51 UTC 
Responsible Changed
From-To: freebsd-ports->anders

Over to maintainer
Comment 2 Anders Nordby freebsd_committer freebsd_triage 2002-11-26 23:52:16 UTC 
Howdy,

On Fri, Nov 08, 2002 at 01:58:37AM +0100, Matthias Buelow wrote:
>>Synopsis:       uw-imapd creates world-writable tmp file

I have attached answer from the author. I'm considering just closing
this PR, because:

a) It is not an issue with the FreeBSD port, it is an issue with imap-uw
itself that should be solved by the author, or by cooperating with the
author.
b) Mark's stance on local host security and imap-uw is that you should
not run imap-uw if you do not trust all your shell/login users.

I'm welcome to any suggestions and thoughts. However, I don't think it's
a good idea to work against what the author wants to do with this
software.

Cheers,

-- 
Anders.
Comment 3 Matthias Buelow 2002-11-27 03:48:34 UTC 
Anders Nordby wrote:

> I have attached answer from the author. I'm considering just closing
> this PR, because:

Excellent.. please close the PR.  Time to look out for an imapd with a 
less flawed architecture.

-- 
Matthias Buelow
Comment 4 Anders Nordby freebsd_committer freebsd_triage 2002-11-27 03:51:29 UTC 
State Changed
From-To: open->closed

IMAP-UW is not to be combined with login accounts to users you do not 
trust.