Date: Mon, 2 Jun 2003 10:50:38 -0600 From: "Wolfpaw - Dale Corse" <admin-lists@wolfpaw.net> To: "Troy Settle" <troy@psknet.com>, "'Mark Sergeant'" <msergeant@snsonline.net>, "'Wolfpaw - Dale Corse'" <admin-lists@wolfpaw.net> Cc: security@freebsd.org Subject: RE: quick poppassd question Message-ID: <AJENJFOLCLAHHIIGCCHNAEAGGMAA.admin-lists@wolfpaw.net> In-Reply-To: <001b01c3291e$80b3ca90$23fbab3f@psknet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Perhaps someone can shed more light on the subject, but it's my > impression that most system process run with a UID/GID > under 100. So a > uid < 100 should deny the change request. Perhaps, though the trend is running most things as non-priv users, because it minimizes the damage to the server if a process is compromised. Generally "non-system" accounts seem to start at 1000 (BSD, and most Linux), or 500 (notably Redhat) so.. you may want to use 500 as the magic number for portability reasons. > > Then again, in this day and age, isn't it advisable to do away with > system accounts for users? On most of my boxes, there are exactly 2 > passwords in the passwd file: one for my ssh access and > another so I can > su to root. On the one box that does have system accounts > for users, > they can use /usr/bin/passwd directly. > > All 4.2k users on my system authenticate from a MySQL > database for mail > and ftp access. I concur, we use vpopmail w/ mysql to authenticate all mail users (including staff that have shell accounts). As a point .. it is more secure, because unless you are using SSL with your pop3 client (which doesn't appear to be that popular), you are broadcasting a shell password all over the net, pop3 is cleartext :) Point: Use virtual mail :) Shells with SSH and SFTP only :) > > > > -----Original Message----- > > From: owner-freebsd-isp@freebsd.org > > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Mark Sergeant > > Sent: Monday, June 02, 2003 11:32 AM > > To: Wolfpaw - Dale Corse > > Cc: Support; isp@freebsd.org; security@freebsd.org > > Subject: RE: quick poppassd question > > > > > > Could we maybe drop it to 200ish as I know of many cases > where uid's > > aren't > 1000 for standard users. > > > > On Tue, 2003-06-03 at 01:33, Wolfpaw - Dale Corse wrote: > > > looks good to me :) > > > > > > D. > > > -------------------------------- > > > Dale Corse > > > System Administrator > > > Wolfpaw Services Inc. > > > http://www.wolfpaw.net > > > (780) 474-4095 > > > > > > > -----Original Message----- > > > > From: owner-freebsd-isp@freebsd.org > > > > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Support > > > > Sent: Monday, June 02, 2003 5:04 AM > > > > To: security@freebsd.org > > > > Cc: isp@freebsd.org > > > > Subject: quick poppassd question > > > > > > > > > > > > Hello, > > > > > > > > I did a quick change to the patched port of poppassd and am > > > > wondering if > > > > you think my code would introduce any potential problems. > > > > > > > > The idea is right after we check if the username exists, > > > > also check if the > > > > UID of that username is over 1000. I wanted to make sure > > that no one > > > > monkeys around with priveleged users once poppassd is running. > > -snip- > > > > -- > > Mark Sergeant <msergeant@snsonline.net> > > SNSOnline Technical Services > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AJENJFOLCLAHHIIGCCHNAEAGGMAA.admin-lists>