[OpenAFS] qmail and user mail accounts in AFS
Sergio Gelato
Sergio.Gelato@astro.su.se
Tue, 9 Mar 2004 07:45:11 +0100
* bucy-openafs@gloop.org [2004-02-26 14:09:42 -0500]:
> On Tue, Feb 24, 2004 at 10:33:57AM -0600, Troy Benjegerdes wrote:
>
> > I have a script that starts up courier-imap and courier-mta with tokens
> > for a user called 'mail' that has ACL's for all the user's maildirs.
>
> We contemplated this and its a bad idea if you allow a user to put
> arbitrary shellcode in .qmail -- any user's delivery can clobber any
> other user's mail since they're all running with the same creds.
True, although if you tighten up the ACLs on the maildirs (lidk on tmp/,
lik on new/ for the mail user) what you get is "only" denial of service
and mailbox poisoning attacks, no clobbering of legitimate email. By
"mailbox poisoning" I mean the insertion of a perfect forgery in which
not even the first Received: header is authentic. Of course that's
already bad enough.
> (i.e. there's a user/mail princ/user.mail pts user for each user which
> in turn only has rights on the user's maildir)
Burns up twice as many uids, but if you can afford that it's the way to go.