Re: Vulnerability in HP OpenMail

[richi () HP COM (Richi Jennings)]

dej wrote...

> The good news is that mail users have their own Unix UIDs on the server.
> The real problem is situations where the sysadmin has denied users regular
> login access to the mail server, possibly by putting "*" in the password
> field.  This is standard practice as a security measure.  If you have done
> this on your OpenMail server, then you may want to check your security
> measures carefully - your users can get the equivalent of shell whether you
> allow it or not.

This is a generic issue with any program that permits shell escapes.  It is
generally-accepted good practice to set up UNIX users with an
appropriately-configured restricted shell.  Relying on a '*' in the password
field is not sufficient--that only means "deny logon", not "deny arbitrary
shell command."

For even tighter security, the shell can be reset to /bin/true , but that would
not of course allow a user to call lp.

OpenMail administrators can also look into the OpenMail "print server"
functionality, particularly the documentation on the general.cfg setting
UAL_PRINT_SERVER_ONLY in the OpenMail Technical Guide.


Regards,

richi.
--
 Richi Jennings <richi () hp com>        Phone: +44 (0)1344-365870 or HPT316-5870
 OpenMail Outbound & Technical        Pager: richi-beep () pwd hp com
 HP Communications Software Oper. UK  http://www.hp.com/go/openmail