Date: Sun, 14 Jan 2001 13:21:59 -0800 (PST) From: jardin@enst.fr To: freebsd-gnats-submit@FreeBSD.org Subject: ports/24327: inn (ckpasswd) does not support master.passwd Message-ID: <200101142121.f0ELLxd81826@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 24327 >Category: ports >Synopsis: inn (ckpasswd) does not support master.passwd >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 14 13:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Vincent Jardin >Release: 4.2-RELEASE i386 >Organization: student >Environment: FreeBSD mars.tapasmail.net 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Mon Nov 20 13:02:55 GMT 2000 jkh@bento.FreeBSD.org:/usr/src/sys/compile/GENERIC i386 >Description: There is a security issue with FreeBSD when one wants to configure a user password (see readers.conf) that is supposed to use the system's password. But this file can only be read by the uid 0 on a FreeBSD (/etc/master.passwd) with the function getpwnam. The bug is in inn-2.3.0/authprogs/ckpasswd.c (line 44) The fix is to set the user to root.news for ckpasswd the the user's sticky bit (chmod 4755) >How-To-Repeat: activate the users's passwords for inn (readers.conf) like in readers.conf(5) And telnet server 119 ... >Fix: chown root.news ckpasswd chmod 4755 ckpasswd >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101142121.f0ELLxd81826>