Hello!
Yesterday I found that any user are able to start any program at
server with .qmail file. This could be potentially dangerous, AFAIU. As
an example: I denied TELNET access (disabled the service in inetd.conf),
but any user can put "|in.telnetd" in their .qmail file (ofcourse, there
should be not only in.telnetd to work correctly).
Also, any user are able to get our /etc/passwd file. It is not
dengerous because there is no passwords, but it is possible to a) find
out where user homedir is, and b) get total list of the users which can
be later used for, lets say, spamming.
Your imagination is the only limit for this.
Is there any suggestions about how to avoid all the potential
problems?
________________________________________________________
Regards, Dmitry Niqiforoff [tel. +7 8462 427427]
Kraft-S, Ltd.
Samara, Russia
