[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: imap4d LIST and DELETE
From: |
Alain Magloire |
Subject: |
Re: imap4d LIST and DELETE |
Date: |
Wed, 23 May 2001 11:50:18 -0400 (EDT) |
Bonjour
> > Ok, but it is a little tricky:
> >
> > 1- The implementation to "jail" file access to "/home/user/Mail" for
> > example:
>
> Suppose we map '/' to '/home'. '~username' is then mapped to '/home/username'.
> Then
>
> a001 LIST "" ../../../../../../../../../../etc/passwd
> a002 LIST "" ../../../../../../../../../../Mail/junk
> a003 DELETE //../../../../../../home/user/Mail/junk
> a004 LIST "" /home/user/Mail/junk
> a005 LIST "" /home/user/junk
>
> will definitely fail (and a good thing a001 fails ain't it? :)
8-)
Actually I think it should succeed iff exists /home/user/etc/passwd.
No? (Playing devils advocate).
>
> a006 LIST "" ~user/Mail/junk
> a007 LIST "" ~/Mail/junk
> a008 LIST "" ~/junk
>
> will all succeed. Furthermore:
>
> a009 LIST "" ../otheruser/Mail
> a010 LIST "" ~otheruser/Mail
>
> will also succeed, provided that /home/otheruser is readable for `user'.
Your making the assumption that all user homedir are under the same
hierarchy(in this case "/home"). This is true in most cases but you
may find site where you will have:
~user1 --> /home/user
~user2 --> /home2/user2
etc ..
I'd say a009 fails unless there is a /home/user/otheruser/Mail
and a010 succeed.
> > 3- You may wish to provide shared mailboxes access, like
> > ~bugzilla/Mail/PRs
> > where users can access different PR's etc ...
> <snip>
> > 5- What about users with a second account:
> >
> > a00 SELECT ~mysecond_account/Mail/sent
>
> Again, under the same supposition
>
> a011 LIST "/" *
>
> will list the contents of /home. Thus ~bugzilla/Mail/PRs will work.
> The same for users with a second account.
Ok.
>
> > 2- Using chroot () is probably not a good idea, because INBOX
> > still could map to /var/mail/user.
> Agreed. But INBOX being the only exception from the mapping rule,
> it can be implemented without chroot(), I guess.
Ok.
> > 4- point (3) does not go well with your idea of only listing
> > the files own by user. Imap servers are use
> Yes, you are right. At this point I was way too restrictive.
>
> The exact mapping of '/' could be made configurable. For example:
> imap4d --home=/var/users.
>
> What do you think about it?
A step in the right direction, how about to take it further.
imap4d --namespace='~:/home/shared'
The hierarchy '~'(maps to homedirs) is allowed and the '/home/shared'
is also permitted. Default is only '~'.
Take a look at:
http://www.imc.org/rfc2342
IMAP4 Namespace
To see, a plausible way of doing things.
--
au revoir, alain
----
Aussi haut que l'on soit assis, on est toujours assis que sur son cul !!!
Re: imap4d LIST and DELETE, Sergey Poznyakoff, 2001/05/25