From owner-freebsd-isp@FreeBSD.ORG Mon Jun 2 08:18:41 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1343537B43B for ; Mon, 2 Jun 2003 08:18:41 -0700 (PDT) Received: from alcatraz.wolfpaw.net (alcatraz.wolfpaw.net [204.209.44.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 94BEC43F85 for ; Mon, 2 Jun 2003 08:18:37 -0700 (PDT) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 26098 invoked by uid 0); 2 Jun 2003 15:18:36 -0000 Received: from unknown (HELO wolf) (216.123.201.128) by 0 with SMTP; 2 Jun 2003 15:18:36 -0000 From: "Wolfpaw - Dale Corse" To: "Support" , Date: Mon, 2 Jun 2003 09:33:07 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20030602065847.G76644@alice.netmint.com> X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal cc: isp@freebsd.org Subject: RE: quick poppassd question X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 15:18:41 -0000 looks good to me :) D. -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095 > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Support > Sent: Monday, June 02, 2003 5:04 AM > To: security@freebsd.org > Cc: isp@freebsd.org > Subject: quick poppassd question > > > Hello, > > I did a quick change to the patched port of poppassd and am > wondering if > you think my code would introduce any potential problems. > > The idea is right after we check if the username exists, > also check if the > UID of that username is over 1000. I wanted to make sure that no one > monkeys around with priveleged users once poppassd is running. > > So, the middle chunk of code is mine, everything else has been there > before me. > > What's the general feeling about the security of poppassd > provided that > users with valid passwords already have shell access to the > system, and > now nobody can try to change priveleged accounts' passwords? > > --- cut --- > > if ((pw = getpwnam (user)) == NULL) > { > syslog (LOG_ERR, "Unknown user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > /* begin added code */ > if ((pw->pw_uid) < 1001) > { > syslog (LOG_ERR, "Priveleged user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > /* end added code */ > > if (chkPass (user, oldpass, pw) == FAILURE) > { > syslog (LOG_ERR, "Incorrect password from %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > --- cut --- > > Perhaps if this passes everyone's scrutiny, it could be added as yet > another patch to poppassd with the min UID defined somewhere in the > Makefile or poppassd.c. > > Thanks for your help, > > Andrew > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" >