quick poppassd question

Wolfpaw - Dale Corse admin-lists at wolfpaw.net
Mon Jun 2 08:18:41 PDT 2003 

looks good to me :)

D.
--------------------------------
Dale Corse
System Administrator
Wolfpaw Services Inc.
http://www.wolfpaw.net
(780) 474-4095

> -----Original Message-----
> From: owner-freebsd-isp at freebsd.org
> [mailto:owner-freebsd-isp at freebsd.org]On Behalf Of Support
> Sent: Monday, June 02, 2003 5:04 AM
> To: security at freebsd.org
> Cc: isp at freebsd.org
> Subject: quick poppassd question
>
>
> Hello,
>
> I did a quick change to the patched port of poppassd and am
> wondering if
> you think my code would introduce any potential problems.
>
> The idea is right after we check if the username exists,
> also check if the
> UID of that username is over 1000. I wanted to make sure that no one
> monkeys around with priveleged users once poppassd is running.
>
> So, the middle chunk of code is mine, everything else has been there
> before me.
>
> What's the general feeling about the security of poppassd
> provided that
> users with valid passwords already have shell access to the
> system, and
> now nobody can try to change priveleged accounts' passwords?
>
> --- cut ---
>
>      if ((pw = getpwnam (user)) == NULL)
>      {
>           syslog (LOG_ERR, "Unknown user, %s", user);
>           sleep (5);
>           WriteToClient ("500 Old password is incorrect.");
>           exit(1);
>      }
>
>      /* begin added code */
>      if ((pw->pw_uid) < 1001)
>      {
>           syslog (LOG_ERR, "Priveleged user, %s", user);
>           sleep (5);
>           WriteToClient ("500 Old password is incorrect.");
>           exit(1);
>      }
>      /* end added code */
>
>      if (chkPass (user, oldpass, pw) == FAILURE)
>      {
>           syslog (LOG_ERR, "Incorrect password from %s", user);
>           sleep (5);
>           WriteToClient ("500 Old password is incorrect.");
>           exit(1);
>      }
>
> --- cut ---
>
> Perhaps if this passes everyone's scrutiny, it could be added as yet
> another patch to poppassd with the min UID defined somewhere in the
> Makefile or poppassd.c.
>
> Thanks for your help,
>
> Andrew
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to
> "freebsd-isp-unsubscribe at freebsd.org"
>

More information about the freebsd-isp mailing list