Unfortunately, I only have experience with Unix systems.
Hence these security issues are applicable to Unix systems only, not Windows.
- The application does not support public key cryptography, because both ends are supposed to be used by the same user.
- No password nor encryption key are transmitted. There is no need because of the same reason above. Both ends are supposed to know the same key.
- The email content is encoded with the symmetric key encryption.
- No version info is used throughout the product.
- The actim server is not allowed to be started by root user.
- The program, actim does not start if .actimrc file is world readable. Only owner readable is allowed.
- The program, actimd starts if .actimdrc file is owner readable (0400 or 0600).
If .actimdrc file is not owned by the caller, then the file must only have read permission granted (0444, 0644, 0604, etc).
- All the file transfers and command line executions are logged through syslog under UNIX platforms.
- Adding new tweaks, startTime and endTime, allows the user to specify what time of a day that the server is allowed to look for any new actim email.
- Adding new tweak, allowExecution, allows the user to config the server to accept command-line events from remote sites.
- Adding new tweak, allowFileReceive, allows the user to config the server to allow files received from a remote site.
- Adding new tweak, allowFileSend, allow the user to config the server to allow files send to a remote site.
- Adding new tweak, restrictedExecution, allows the server to execute certain command-lines. This is only if allowExecution is on.