As an elaboration. I believe that yes, "this guy" does know enough to answer
your question accurately. His point being that qmail itself appears to be
secure, but a user can trivially compromise their range of access with an
injudicious .qmail file.
The joke is that it's nothing unique to qmail as the same problem exists in
.forward with sendmail/smail and is a fairly obvious problem whenever local
delivery allows process invocation.
To make it painfully obvious. qmail is as vulnerable as sendmail if users
are allowed to construct and invoke their own .forwards. Apart from that,
the general opinion seems to be that qmail offers better security for
structural reasons. I'm of the view that that opinion is correct.
Regards.
At 07:16 AM 2/19/97 EST, Norman Bollinger wrote:
>>Yes.
>Gee thanks but now where to? Norman
>
>>
>>At 06:43 AM 2/19/97 EST, Norman Bollinger wrote:
>>>Does this guy really know what he is talking about or it there
>>>a joke here that I missed? Norman
>>>>At 08:46 PM 2/18/97 -0600, Graphic Rezidew wrote:
>>>>>
>>>>>
>>>>> are there any known security holes in Qmail 0.93?
>>>>>
>>>>
>>>>Depends on what you mean by "security holes". There are no
>>>>known exploits to gain access to a root shell, or to /etc/passwd. On
the
>>>>other hand, all you need a user to do is create a .qmail-hole file co
>>ntaining
>>>>|grep '^#'|sed 's/^#//'|sh
>>>>and there's your ``security hole''.
>>>>-russ
>>>>
>>>
>>>
>>
>
>
your question accurately. His point being that qmail itself appears to be
secure, but a user can trivially compromise their range of access with an
injudicious .qmail file.
The joke is that it's nothing unique to qmail as the same problem exists in
.forward with sendmail/smail and is a fairly obvious problem whenever local
delivery allows process invocation.
To make it painfully obvious. qmail is as vulnerable as sendmail if users
are allowed to construct and invoke their own .forwards. Apart from that,
the general opinion seems to be that qmail offers better security for
structural reasons. I'm of the view that that opinion is correct.
Regards.
At 07:16 AM 2/19/97 EST, Norman Bollinger wrote:
>>Yes.
>Gee thanks but now where to? Norman
>
>>
>>At 06:43 AM 2/19/97 EST, Norman Bollinger wrote:
>>>Does this guy really know what he is talking about or it there
>>>a joke here that I missed? Norman
>>>>At 08:46 PM 2/18/97 -0600, Graphic Rezidew wrote:
>>>>>
>>>>>
>>>>> are there any known security holes in Qmail 0.93?
>>>>>
>>>>
>>>>Depends on what you mean by "security holes". There are no
>>>>known exploits to gain access to a root shell, or to /etc/passwd. On
the
>>>>other hand, all you need a user to do is create a .qmail-hole file co
>>ntaining
>>>>|grep '^#'|sed 's/^#//'|sh
>>>>and there's your ``security hole''.
>>>>-russ
>>>>
>>>
>>>
>>
>
>