Installing POP servers on linux?

[dmartin at LanCity.COM (Derek Martin)]

On Sat, 4 Sep 1999, John Chambers,,,781-647-1813 wrote:

> Jeez; you'd think they have purged gets from all the  C libraries  by
> now! ;-)
> 
> Buffer overflows aside, I did get ipop3d running, dug around  in  the
> RFC,  and  threw  together  a  little tcl testing tool to exercise it
> remotely.  In the process, I got curious about Redhat's (linuxconf's)
> gimmick for adding POP3 users to the system.  It includes options for
> creating a POP-only user.  I suspect that IMAP will work as well, but
> that  wasn't what got me curious.  It seemed that they were trying to
> be reassuring that such a user could do nothing but fetch mail.   The
> use  of  /bin/false  as  the  shell looks reassuring, and of course a
> login attempt simply got a new login prompt.
> 
> So, just for the fun of it, I decided to ftp to  the  site  and  tell
> ftpd that I was the POP-only user.  It worked just fine. And I wasn't
> in with any sort of restricted, anonymous permissions.  I could cd to
> /etc without problem, and could get a copy of any of the files there.
> 
> Now, a logged-in user can do the same thing, of course,  though  it's
> not quite as easy. But as I said, I'd gotten the impression that this
> was being set up as an email-only account.  Not hardly.

This should not work!  The ftp daemon is not supposed to allow login from
users unless their default shell is in /etc/shells (which /bin/false
should NOT be!) or I think it will allow /bin/sh and /bin/csh if
/etc/shells does not exist or is empty.

Check /etc/shells and see if /bin/false is in there...  if it isn't, I
have no idea why you could get in.  Maybe the ftpd that whips with RH 6 is
broken?



-- 
Derek D. Martin   |  UNIX System Administrator
derek at netria.com  |  dmartin at lancity.com

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).