HP's OpenMail system consists of a server package that installs on an HP9000 workstation, as well as a client (Omgui). Other mail systems may also be able to interface to it. In Omgui, if you select "Options->Printer..." from the menu, you will be prompted for a printer command. The default is something like "lp -dlaser4si". This command is simply executed on the server, presumably using the system() call. This means that any mail user can run arbitrary shell commands on the mail server. For example, if I change my printer to: cat /etc/passwd | /usr/lib/sendmail jones and print a message, then I will get a copy of the password file. The good news is that mail users have their own Unix UIDs on the server. ("id | /usr/lib/sendmail jones" returns the relevant info.) As long as OpenMail stores users' mail folders as user-owned files with appropriate permissions, then there should be no way to read other users' mail. The real problem is situations where the sysadmin has denied users regular login access to the mail server, possibly by putting "*" in the password field. This is standard practice as a security measure. If you have done this on your OpenMail server, then you may want to check your security measures carefully - your users can get the equivalent of shell whether you allow it or not.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:35 PDT