Access Control

Tinymail requires UW imapd to be run as a pre-authenticated user. One way to do that is to call tinymail.pl from a suid wrapper (tinymail.html) which sets UID to the Remote-User. Authentication is done against a copy of the (DES) system password file using SSL to protect the somewhat weak password against wireless sniffing. Other HTTP authentication schemes such as MD5 Digest or Apache LDAP authentication (which is also DES) could be used.

The following is a typical piece of httpd.conf to create a password-protected directory:

ScriptAlias /authcgi/ "/var/www/auth_cgi/"
<Directory "/var/www/auth_cgi/">
    AllowOverride None
    Options None
    AuthUserFile "/var/www/web_passwd"
    AuthType Basic
    AuthName "TinyMail Users"
    require valid-user
</Directory>

For this to work Apache needs read access to the password file (basically a copy of /etc/shadow). But users don't.

There are clearly security issues here. Remote users must have no way to create a script capable of accessing the password file, and should probably not have shell access. The root password should not be included in the webserver-accessible copy