Date: Mon, 2 Jun 2003 09:20:48 -0400 (EDT) From: Support <support@netmint.com> To: Eric Anderson <anderson@centtech.com> Cc: freebsd-security@freebsd.org Subject: Re: quick poppassd question Message-ID: <20030602091702.J85433@alice.netmint.com> In-Reply-To: <3EDB4AE0.8060408@centtech.com> References: <20030602085600.B84160@alice.netmint.com> <3EDB4AE0.8060408@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I usually don't give pop user's shell access, unless they really need
> it. That's just me though.
You're absolutely right. Neither do I. I was speaking from the standpoint
of: if at least one user has shell access...
>
> > --- cut ---
> >
> > if ((pw = getpwnam (user)) == NULL)
> > {
> > syslog (LOG_ERR, "Unknown user, %s", user);
> > sleep (5);
> > WriteToClient ("500 Old password is incorrect.");
> > exit(1);
> > }
> >
> > /* begin added code */
> > if ((pw->pw_uid) < 1001)
> > {
> > syslog (LOG_ERR, "Priveleged user, %s", user);
> > sleep (5);
> > WriteToClient ("500 Old password is incorrect.");
>
> Wouldn't it be better to send a more descriptive error message back?
> Maybe something like "500 Denied for priveleged user"?
Just wanted to let people infinitely try to guess the root password, if
they really wanted to.
How is most recent patched poppassd port security in general? Is doing the
UID comparison a potential problem? I'm trying to be as conservative as
possible with changes to code that runs as root and changes people's
passwords. :)
Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602091702.J85433>