On Mon, 17 Apr 2000 23:02:48 -0700, R. C. Dowdeswell wrote:
> Using chroot in a lot of situations is rather dangerous, and one
> must carefully set up the environment that it runs in.
Yes. This is why I would never do it by default; it's something that the site
has to turn on explictly (and they
> Can we please [] discuss the facts rationally?
> 1) There is no added vulnerability at all for a UNIX system which
>permits shell access.
This is not quite true. There is no added vulnerability for a system
which permits shell access with the same
pair which gives mailbox access.
One si
In message <[EMAIL PROTECTED]> Mark Crispin writes:
: Last but not least, I am very interested in Kris Kennaway's claim
: that "It may also be possible to break out of the chroot jail on
: some platforms." If true, it represents a huge root-level security
: hole on those platforms. I simply do n
On 956021099 seconds since the Beginning of the UNIX epoch
Mark Crispin wrote:
>
>The final form of the CHROOT_SERVER code, which will be an option in the next
>distributed version, consists of:
> if (chroot (home ? home : ANONYMOUSHOME)) return NIL;
> home = "/";
>And, yes, this will do the nec
Mark Crispin wrote:
> Last but not least, I am very interested in Kris Kennaway's claim that "It may
> also be possible to break out of the chroot jail on some platforms." If true,
> it represents a huge root-level security hole on those platforms. I simply do
> not believe the claim. I would
>Last but not least, I am very interested in Kris Kennaway's claim that "It
may
>also be possible to break out of the chroot jail on some platforms." If
It is possible, especially if you have /proc mounted. It is made even
more likely if you have processes inside and outside of the chroot
envir
Can we please avoid hyperbole (such as "Seattle disease"), and discuss the
facts rationally?
1) There is no added vulnerability at all for a UNIX system which permits
shell access. I don't have sufficient data to know what percentage of UW
imapd sites run IMAP servers on top of shell UNIX
On Mon, 17 Apr 2000, Mark Crispin wrote:
> As was indicated, all privileges are dropped at that point. There is nothing
> that can be done by crashing imapd this way that can not also be done (much
> easier) by logging in to the UNIX shell.
This does not seem to be enough: many people run mail
> The recent BUGTRAQ report about a way to cause the LIST command to get a
> buffer overflow was just forwarded to me.
>
> As was indicated, all privileges are dropped at that point. There is nothing
> that can be done by crashing imapd this way that can not also be done (much
> easier) by loggin