From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 06:04:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35EC837B401 for ; Mon, 2 Jun 2003 06:04:01 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7127543F85 for ; Mon, 2 Jun 2003 06:04:00 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (dhcp-187.centtech.com [204.177.173.187]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h52D3x56010733; Mon, 2 Jun 2003 08:03:59 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3EDB4AE0.8060408@centtech.com> Date: Mon, 02 Jun 2003 08:02:24 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Support References: <20030602085600.B84160@alice.netmint.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: quick poppassd question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 13:04:01 -0000 Support wrote: > Hello, > > I did a quick change to the patched port of poppassd and am wondering if > you think my code would introduce any potential problems. > > The idea is right after we check if the username exists, also check if the > UID of that username is over 1000. I wanted to make sure that no one > monkeys around with priveleged users once poppassd is running. > > So, the middle chunk of code is mine, everything else has been there > before me. > > What's the general feeling about the security of poppassd provided that > users with valid passwords already have shell access to the system, and > now nobody can try to change priveleged accounts' passwords? I usually don't give pop user's shell access, unless they really need it. That's just me though. > --- cut --- > > if ((pw = getpwnam (user)) == NULL) > { > syslog (LOG_ERR, "Unknown user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > /* begin added code */ > if ((pw->pw_uid) < 1001) > { > syslog (LOG_ERR, "Priveleged user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); Wouldn't it be better to send a more descriptive error message back? Maybe something like "500 Denied for priveleged user"? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------