5029734 2000-04-21 20:00 /48 rader/ Postmaster Mottagare: Bugtraq (import) <10562> Ärende: pop3 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@securityfocus.com MIME-Version: 1.0 X-Authenticated-Sender: #0003871056@gmx.net X-Authenticated-IP: [206.181.245.167] X-Flags: 0001 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-ID: <8782.956247808@www5.gmx.net> Date: Thu, 20 Apr 2000 18:23:28 +0200 Reply-To: spoon spoon <sp00n@GMX.DE> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: spoon spoon <sp00n@GMX.DE> X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM >I noticed the following behavior in the pop3 server as shipped with >Redhat 6.1 (still don't see Qualcomms POP servers have this problem as well, on linux, solaris, etc. Except the lock file gets stored where ever your users mail is stored. /var/mail(on a sun) or where ever. I guess a nice solution would be to have a subdirectory with mode 700 permissions under /var/mail/locks or something like that where only the popper can write to. Or just ignore the lock if the owner of the lock file is diffrent thant the userid of the person popping their mail. $ > .jqpublic.pop $ id uid=1001(testacct) gid=1(other) $ pwd /var/mail $ ls -la | more total 465698 drwxrwxrwt 3 root mail 6656 Apr 20 12:03 . <cut> -rw-r--r-- 1 testacct other 0 Apr 20 12:03 .jqpublic.pop <cut> +OK QPOP (version: 2.53) on solaris jqpublic ant pop his mail -- Sent through Global Message Exchange - http://www.gmx.net (5029734) ------------------------------------------(Ombruten) 5033879 2000-04-24 19:50 /66 rader/ Postmaster Mottagare: Bugtraq (import) <10585> Ärende: Re: pop3 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-md5sum: 75aa30d6ab5a324d4db4e44dd9036b9b X-md5sum-Origin: lorien.mallorn.com Message-ID: <20000421145028.G30678@mallorn.com> Date: Fri, 21 Apr 2000 14:50:28 -0500 Reply-To: "Christopher P. Lindsey" <lindsey@MALLORN.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: "Christopher P. Lindsey" <lindsey@MALLORN.COM> X-To: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <8782.956247808@www5.gmx.net>; from spoon spoon on Thu, Apr 20 2000 at 06:23:28PM +0200 > Qualcomms POP servers have this problem as well, on linux, solaris, etc. > Except the lock file gets stored where ever your users mail is stored. > /var/mail(on a sun) or where ever. I guess a nice solution would be to have a > subdirectory with mode 700 permissions under /var/mail/locks or something like > that where only the popper can write to. Or just ignore the lock if the owner > of the lock file is diffrent thant the userid of the person popping their > mail. The terminology and extensions used here are getting a little muddled, so I'm going to edify for others who may be confused: username : mailbox .username.pop : temporary mailspool location, effectively locks POP .username.lock: lockfile for "real" mailspool, locks LDA qpopper has a compilation option to specify an alternate directory for the .pop files. From the INSTALL file, section 7f for Qualcomm's popper version 2.53: POP_DROP - When qpopper runs, it moves your mailspool to a temporary location (.user.pop). The default location is in the mail spool directory. /tmp is an alternative but is considered to be a security risk. A system reboot usually clears the temporary .user.pop files. For performance reasons, a sysadmin who has 1000+ users can create a separate spool directory for qpopper files; /usr/spool/poptemp is preferable. Permissions should be the same as your mailspool with the same owner and group. Edit the value of POP_DROP in config.h. For Eg: #define POP_DROP "/usr/spool/poptemp/.%s.pop" Of course, if /usr/spool/poptemp is set 1777 you still have problems with other people creating .pop files if they have local access to the mail server. As you suggested, a better solution would probably be similar to what procmail does -- if a lockfile is detected and is not owned by the user for whom the temporary mailspool is being created (excepting root, as of version 3.14), it is overwritten with a new one using proper permissions and ownership. qpopper 3.0 is out, and although it boasts "improved mailbox locking code," a cursory glance at the code *appears* to reveal the same issues. I'll set up a testbed to make sure. Just to be clear, the worst thing that someone can do with this is a DOS against POP requests for targeted users. Chris (5033879) ------------------------------------------(Ombruten) 5034362 2000-04-24 22:07 /60 rader/ Postmaster Mottagare: Bugtraq (import) <10597> Ärende: Re: pop3 ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.BSF.4.21.0004220535220.68121-100000@mail.godsey.net> Date: Sat, 22 Apr 2000 05:36:29 -0700 Reply-To: Jason Godsey <godsey@GODSEY.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Jason Godsey <godsey@GODSEY.NET> X-To: spoon spoon <sp00n@GMX.DE> X-cc: BUGTRAQ@SECURITYFOCUS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <8782.956247808@www5.gmx.net> I've had it use ~/.pop3.lock for quite some time (since 1995). I'm sure this won't work for people who don't provide users w/ home directories, but it has worked for us. Jason On Thu, 20 Apr 2000, spoon spoon wrote: > Date: Thu, 20 Apr 2000 18:23:28 +0200 > From: spoon spoon <sp00n@GMX.DE> > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: pop3 > > >I noticed the following behavior in the pop3 server as shipped with > >Redhat 6.1 (still don't see > > Qualcomms POP servers have this problem as well, on linux, solaris, etc. > Except the lock file gets stored where ever your users mail is stored. > /var/mail(on a sun) or where ever. I guess a nice solution would be to have a > subdirectory with mode 700 permissions under /var/mail/locks or something like > that where only the popper can write to. Or just ignore the lock if the owner > of the lock file is diffrent thant the userid of the person popping their > mail. > > > > $ > .jqpublic.pop > $ id > uid=1001(testacct) gid=1(other) > $ pwd > /var/mail > $ ls -la | more > total 465698 > drwxrwxrwt 3 root mail 6656 Apr 20 12:03 . > <cut> > -rw-r--r-- 1 testacct other 0 Apr 20 12:03 .jqpublic.pop > <cut> > > +OK QPOP (version: 2.53) on solaris > > jqpublic ant pop his mail > > -- > Sent through Global Message Exchange - http://www.gmx.net > (5034362) ------------------------------------------(Ombruten)