linux, säkerhet

5029734 2000-04-21  20:00  /48 rader/ Postmaster
Mottagare: Bugtraq (import) <10562>
Ärende: pop3
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@securityfocus.com
MIME-Version: 1.0
X-Authenticated-Sender: #0003871056@gmx.net
X-Authenticated-IP: [206.181.245.167]
X-Flags: 0001
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID:  <8782.956247808@www5.gmx.net>
Date:         Thu, 20 Apr 2000 18:23:28 +0200
Reply-To: spoon spoon <sp00n@GMX.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: spoon spoon <sp00n@GMX.DE>
X-To:         BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

>I noticed the following behavior in the pop3 server as shipped with
>Redhat 6.1 (still don't see

Qualcomms POP servers have this problem as well, on linux, solaris,
etc.  Except the lock file gets stored where ever your users mail is
stored.  /var/mail(on a sun) or where ever. I guess a nice solution
would be to have a subdirectory with mode 700 permissions under
/var/mail/locks or something like that where only the popper can
write to. Or just ignore the lock if the owner of the lock file is
diffrent thant the userid of the person popping their mail.



$ > .jqpublic.pop
$ id
uid=1001(testacct) gid=1(other)
$ pwd
/var/mail
$ ls -la | more
total 465698
drwxrwxrwt   3 root     mail        6656 Apr 20 12:03 .
<cut>
-rw-r--r--   1 testacct     other          0 Apr 20 12:03 .jqpublic.pop
<cut>

+OK QPOP (version: 2.53) on solaris

jqpublic ant pop his mail

--
Sent through Global Message Exchange - http://www.gmx.net
(5029734) ------------------------------------------(Ombruten)

5033879 2000-04-24  19:50  /66 rader/ Postmaster
Mottagare: Bugtraq (import) <10585>
Ärende: Re: pop3
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-md5sum: 75aa30d6ab5a324d4db4e44dd9036b9b
X-md5sum-Origin: lorien.mallorn.com
Message-ID:  <20000421145028.G30678@mallorn.com>
Date:         Fri, 21 Apr 2000 14:50:28 -0500
Reply-To: "Christopher P. Lindsey" <lindsey@MALLORN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Christopher P. Lindsey" <lindsey@MALLORN.COM>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <8782.956247808@www5.gmx.net>; from spoon spoon on Thu, Apr 20 
             2000 at 06:23:28PM +0200

> Qualcomms POP servers have this problem as well, on linux, solaris, etc.
> Except the lock file gets stored where ever your users mail is stored.
> /var/mail(on a sun) or where ever. I guess a nice solution would be to have a
> subdirectory with mode 700 permissions under /var/mail/locks or something like
> that where only the popper can write to. Or just ignore the lock if the owner
> of the lock file is diffrent thant the userid of the person popping their
> mail.

The terminology and extensions used here are getting a little muddled,
so I'm going to edify for others who may be confused:

   username      : mailbox
   .username.pop : temporary mailspool location, effectively locks POP
   .username.lock: lockfile for "real" mailspool, locks LDA

qpopper has a compilation option to specify an alternate directory for
the .pop files.  From the INSTALL file, section 7f for Qualcomm's
popper version 2.53:

   POP_DROP - When qpopper runs, it moves your mailspool to a
   temporary location (.user.pop).  The default location is in the
   mail spool directory.  /tmp is an alternative but is considered to
   be a security risk. A system reboot usually clears the temporary
   .user.pop files. For performance reasons, a sysadmin who has 1000+
   users can create a separate spool directory for qpopper files;
   /usr/spool/poptemp is preferable. Permissions should be the same
   as your mailspool with the same owner and group. Edit the value
   of POP_DROP in config.h.

   For Eg: #define POP_DROP "/usr/spool/poptemp/.%s.pop"

Of course, if /usr/spool/poptemp is set 1777 you still have problems
with other people creating .pop files if they have local access to
the mail server.

As you suggested, a better solution would probably be similar to what
procmail does -- if a lockfile is detected and is not owned by the
user for whom the temporary mailspool is being created (excepting
root, as of version 3.14), it is overwritten with a new one using
proper permissions and ownership.

qpopper 3.0 is out, and although it boasts "improved mailbox locking
code," a cursory glance at the code *appears* to reveal the same
issues.  I'll set up a testbed to make sure.

Just to be clear, the worst thing that someone can do with this is a
DOS against POP requests for targeted users.

Chris
(5033879) ------------------------------------------(Ombruten)

5034362 2000-04-24  22:07  /60 rader/ Postmaster
Mottagare: Bugtraq (import) <10597>
Ärende: Re: pop3
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSF.4.21.0004220535220.68121-100000@mail.godsey.net>
Date:         Sat, 22 Apr 2000 05:36:29 -0700
Reply-To: Jason Godsey <godsey@GODSEY.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jason Godsey <godsey@GODSEY.NET>
X-To:         spoon spoon <sp00n@GMX.DE>
X-cc:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <8782.956247808@www5.gmx.net>

I've had it use ~/.pop3.lock for quite some time (since 1995).  I'm
sure this won't work for people who don't provide users w/ home
directories, but it has worked for us.

Jason

On Thu, 20 Apr 2000, spoon spoon wrote:

> Date: Thu, 20 Apr 2000 18:23:28 +0200
> From: spoon spoon <sp00n@GMX.DE>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: pop3
>
> >I noticed the following behavior in the pop3 server as shipped with
> >Redhat 6.1 (still don't see
>
> Qualcomms POP servers have this problem as well, on linux, solaris, etc.
> Except the lock file gets stored where ever your users mail is stored.
> /var/mail(on a sun) or where ever. I guess a nice solution would be to have a
> subdirectory with mode 700 permissions under /var/mail/locks or something like
> that where only the popper can write to. Or just ignore the lock if the owner
> of the lock file is diffrent thant the userid of the person popping their
> mail.
>
>
>
> $ > .jqpublic.pop
> $ id
> uid=1001(testacct) gid=1(other)
> $ pwd
> /var/mail
> $ ls -la | more
> total 465698
> drwxrwxrwt   3 root     mail        6656 Apr 20 12:03 .
> <cut>
> -rw-r--r--   1 testacct     other          0 Apr 20 12:03 .jqpublic.pop
> <cut>
>
> +OK QPOP (version: 2.53) on solaris
>
> jqpublic ant pop his mail
>
> --
> Sent through Global Message Exchange - http://www.gmx.net
>
(5034362) ------------------------------------------(Ombruten)