mailing list archives
Re: Vulnerability in HP OpenMail
From: richi () HP COM (Richi Jennings)
Date: Thu, 23 Apr 1998 14:31:07 +0100
The good news is that mail users have their own Unix UIDs on the server.
The real problem is situations where the sysadmin has denied users regular
login access to the mail server, possibly by putting "*" in the password
field. This is standard practice as a security measure. If you have done
this on your OpenMail server, then you may want to check your security
measures carefully - your users can get the equivalent of shell whether you
allow it or not.
This is a generic issue with any program that permits shell escapes. It is
generally-accepted good practice to set up UNIX users with an
appropriately-configured restricted shell. Relying on a '*' in the password
field is not sufficient--that only means "deny logon", not "deny arbitrary
For even tighter security, the shell can be reset to /bin/true , but that would
not of course allow a user to call lp.
OpenMail administrators can also look into the OpenMail "print server"
functionality, particularly the documentation on the general.cfg setting
UAL_PRINT_SERVER_ONLY in the OpenMail Technical Guide.
Richi Jennings <richi () hp com> Phone: +44 (0)1344-365870 or HPT316-5870
OpenMail Outbound & Technical Pager: richi-beep () pwd hp com
HP Communications Software Oper. UK http://www.hp.com/go/openmail