Author: Dom Mitchell Date: To: John Henders CC: exim-users Subject: Re: Local delivery problems on FreeBSD
>>> John Henders said: > On Nov 28, mark@??? (Mark Murray) wrote:
>
> > NO WAY!!! Major security hole!
>
> Not if you make sure your mail clients don't delete empty mail boxes.
> Also, making sure no system id has mail delivered to it's mail box (use
> aliases) and there's no race conditions left to exploit.
Yes, major security hole. Simply due to the fact that any user can
create any file in there. For example, if the admin creates a new
account which hasn't been sent mail yet, the malicious luser can
create a mailbox for him... nasty. I don't know how different mua's
react to a mailbox with the wrong owner, but there's bound to be at
least one that gets it wrong...