On Tue, 17 Feb 2009, Sam posted:
Another way is if the client sends a leading / . If it asks to list /*
(note that the * wildcard is recursive in IMAP), imapd will dutifully list
ever path name that an unprivileged POSIX user can locate on the
By default, UW imapd's security settings are the host system's POSIX
security settings. Whether that is a bug or a feature depends entirely
upon individual point of view. It is instructive to read the old Bell
Labs UNIX papers...
You can disable UW IMAP's handling of / and .. by editing file
Look for the line which reads:
static long restrictBox = NIL; /* is a restricted box */
Change that line to:
static long restrictBox = RESTRICTROOT; /* is a restricted box */
There are other security mechanisms that you can enable in UW imapd as
well, including a chroot() jail. I personally don't recommend the use of
chroot() jails, as they often introduce more security problems than they
As for why you have to edit source code instead of just editing a config
file, there are three parts of the answer:
 You actually can just edit a config file. I just tell you not to do
it. You can choose to disregard that advice; the information on how to do
it is out there.
 The config file for UW imapd actually affects the underlying c-client
library, as opposed to just imapd. If the system is also used by other
applications that use c-client, such as Pine and Alpine, you may have
 Unlike most software that has config files, UW imapd will run in a
reasonable fashion without the config file. In fact, most installations
don't have one. The problem with having your security settings depend
upon the config file in such circumstances is that if, for any reason, the
config file goes missing or is broken, it is highly likely that imapd will
continue to work just fine...but all your security settings are gone!
Anyway, answers  and  are why I tell people not to do . I've
seen too many sites shoot themselves in the foot.
The lesson here for future software designers is that you can have a "zero
config setup" or you can have "configurable security settings", but you
should not attempt to have both.
-- Mark --
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.