dej wrote... > The good news is that mail users have their own Unix UIDs on the server. > The real problem is situations where the sysadmin has denied users regular > login access to the mail server, possibly by putting "*" in the password > field. This is standard practice as a security measure. If you have done > this on your OpenMail server, then you may want to check your security > measures carefully - your users can get the equivalent of shell whether you > allow it or not. This is a generic issue with any program that permits shell escapes. It is generally-accepted good practice to set up UNIX users with an appropriately-configured restricted shell. Relying on a '*' in the password field is not sufficient--that only means "deny logon", not "deny arbitrary shell command." For even tighter security, the shell can be reset to /bin/true , but that would not of course allow a user to call lp. OpenMail administrators can also look into the OpenMail "print server" functionality, particularly the documentation on the general.cfg setting UAL_PRINT_SERVER_ONLY in the OpenMail Technical Guide. Regards, richi. -- Richi Jennings <richiat_private> Phone: +44 (0)1344-365870 or HPT316-5870 OpenMail Outbound & Technical Pager: richi-beepat_private HP Communications Software Oper. UK http://www.hp.com/go/openmail
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:50:55 PDT