![](https://seccdn.libravatar.org/avatar/c6ef89d28780332254029b8031000e36.jpg?s=120&d=mm&r=g)
Hi all! Does anybody know how to correctly restrict the directories users can acces via imap (Washington State)? I do not want users to download arbitrary world-readable files from our server via weinberg@genji:~ > telnet mailhost imap2 0 login weinberg passwdbla 0 select "/etc/passwd" 0 fetch 1 body[] 0 logout but allow access to /home/user and /var/spool/mail/user. The last thing I tried was creating a user-accessible /black directory, with links /black/var/spool/mail -> /var/spool/mail/ /black/home -> /home/ and set in the /etc/c-client.cf: I accept the risk for IMAP toolkit 4.1. set black-box-directory /black/ set black-box-default-home-directory /black/home/ Howerver, "{mailbox}/var/spool/mail/user" is selectable and gains access to the user-mailbox, while the widely used "{mailbox}inbox selects an inbox with 0 messages found. I am not at all happy with playing around with totally undocumented options like black-box-default-home-directory ... Regards, Volker Weinberg ---------------------------------------------------------------------------- Volker Weinberg email: volker.weinberg@physik.uni-muenchen.de Dept.of Physics phone: Univ. of Munich at home: (089) 14 56 09 (Germany) at CIP: (089) 21 80-24 05 address: Andernacher Str. 17 80993 Muenchen ----------------------------------------------------------------------------
![](https://seccdn.libravatar.org/avatar/bbb8bbe88d3c0ebe19dc932cfa0b693c.jpg?s=120&d=mm&r=g)
Try Cyrus, it's a sealed box solution. I wouldn't use wuimapd on a server with possibly hostile users. http://securityportal.com/lskb/10000100/kben10000148.html Kurt
participants (2)
-
Kurt Seifried
-
Volker Weinberg