Date: Mon, 2 Jun 2003 07:04:09 -0400 (EDT) From: Support <support@alice.netmint.com> To: security@freebsd.org Cc: isp@freebsd.org Subject: quick poppassd question Message-ID: <20030602065847.G76644@alice.netmint.com>
next in thread | raw e-mail | index | archive | help
Hello,
I did a quick change to the patched port of poppassd and am wondering if
you think my code would introduce any potential problems.
The idea is right after we check if the username exists, also check if the
UID of that username is over 1000. I wanted to make sure that no one
monkeys around with priveleged users once poppassd is running.
So, the middle chunk of code is mine, everything else has been there
before me.
What's the general feeling about the security of poppassd provided that
users with valid passwords already have shell access to the system, and
now nobody can try to change priveleged accounts' passwords?
--- cut ---
if ((pw = getpwnam (user)) == NULL)
{
syslog (LOG_ERR, "Unknown user, %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
/* begin added code */
if ((pw->pw_uid) < 1001)
{
syslog (LOG_ERR, "Priveleged user, %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
/* end added code */
if (chkPass (user, oldpass, pw) == FAILURE)
{
syslog (LOG_ERR, "Incorrect password from %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
--- cut ---
Perhaps if this passes everyone's scrutiny, it could be added as yet
another patch to poppassd with the min UID defined somewhere in the
Makefile or poppassd.c.
Thanks for your help,
Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602065847.G76644>