From owner-freebsd-security@FreeBSD.ORG  Mon Jun  2 06:20:57 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 344B637B404
	for <freebsd-security@freebsd.org>;
	Mon,  2 Jun 2003 06:20:57 -0700 (PDT)
Received: from alice.netmint.com (alice.netmint.com [207.106.37.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 610C843F85
	for <freebsd-security@freebsd.org>;
	Mon,  2 Jun 2003 06:20:56 -0700 (PDT)
	(envelope-from support@netmint.com)
Received: from alice.netmint.com (localhost.netmint.com [127.0.0.1])
	by alice.netmint.com (8.12.8p1/8.12.8) with ESMTP id h52DKnxI085543;
	Mon, 2 Jun 2003 09:20:49 -0400 (EDT)
	(envelope-from support@netmint.com)
Received: from localhost (support@localhost)h52DKmYN085538;
	Mon, 2 Jun 2003 09:20:48 -0400 (EDT)
	(envelope-from support@netmint.com)
X-Authentication-Warning: alice.netmint.com: support owned process doing -bs
Date: Mon, 2 Jun 2003 09:20:48 -0400 (EDT)
From: Support <support@netmint.com>
To: Eric Anderson <anderson@centtech.com>
In-Reply-To: <3EDB4AE0.8060408@centtech.com>
Message-ID: <20030602091702.J85433@alice.netmint.com>
References: <20030602085600.B84160@alice.netmint.com>
	<3EDB4AE0.8060408@centtech.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: quick poppassd question
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 13:20:57 -0000

> I usually don't give pop user's shell access, unless they really need
> it.  That's just me though.

You're absolutely right. Neither do I. I was speaking from the standpoint
of: if at least one user has shell access...

>
> > --- cut ---
> >
> >      if ((pw = getpwnam (user)) == NULL)
> >      {
> >           syslog (LOG_ERR, "Unknown user, %s", user);
> >           sleep (5);
> >           WriteToClient ("500 Old password is incorrect.");
> >           exit(1);
> >      }
> >
> >      /* begin added code */
> >      if ((pw->pw_uid) < 1001)
> >      {
> >           syslog (LOG_ERR, "Priveleged user, %s", user);
> >           sleep (5);
> >           WriteToClient ("500 Old password is incorrect.");
>
> Wouldn't it be better to send a more descriptive error message back?
> Maybe something like "500 Denied for priveleged user"?

Just wanted to let people infinitely try to guess the root password, if
they really wanted to.

How is most recent patched poppassd port security in general? Is doing the
UID comparison a potential problem? I'm trying to be as conservative as
possible with changes to code that runs as root and changes people's
passwords. :)

Andrew