From owner-freebsd-isp@FreeBSD.ORG Mon Jun 2 09:36:10 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A4F837B401 for ; Mon, 2 Jun 2003 09:36:10 -0700 (PDT) Received: from alcatraz.wolfpaw.net (alcatraz.wolfpaw.net [204.209.44.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C4E343FAF for ; Mon, 2 Jun 2003 09:36:08 -0700 (PDT) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 31806 invoked by uid 0); 2 Jun 2003 16:36:07 -0000 Received: from unknown (HELO wolf) (216.123.201.128) by 0 with SMTP; 2 Jun 2003 16:36:07 -0000 From: "Wolfpaw - Dale Corse" To: "Troy Settle" , "'Mark Sergeant'" , "'Wolfpaw - Dale Corse'" Date: Mon, 2 Jun 2003 10:50:38 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <001b01c3291e$80b3ca90$23fbab3f@psknet.com> X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal cc: 'Support' cc: isp@freebsd.org cc: security@freebsd.org Subject: RE: quick poppassd question X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 16:36:10 -0000 > Perhaps someone can shed more light on the subject, but it's my > impression that most system process run with a UID/GID > under 100. So a > uid < 100 should deny the change request. Perhaps, though the trend is running most things as non-priv users, because it minimizes the damage to the server if a process is compromised. Generally "non-system" accounts seem to start at 1000 (BSD, and most Linux), or 500 (notably Redhat) so.. you may want to use 500 as the magic number for portability reasons. > > Then again, in this day and age, isn't it advisable to do away with > system accounts for users? On most of my boxes, there are exactly 2 > passwords in the passwd file: one for my ssh access and > another so I can > su to root. On the one box that does have system accounts > for users, > they can use /usr/bin/passwd directly. > > All 4.2k users on my system authenticate from a MySQL > database for mail > and ftp access. I concur, we use vpopmail w/ mysql to authenticate all mail users (including staff that have shell accounts). As a point .. it is more secure, because unless you are using SSL with your pop3 client (which doesn't appear to be that popular), you are broadcasting a shell password all over the net, pop3 is cleartext :) Point: Use virtual mail :) Shells with SSH and SFTP only :) > > > > -----Original Message----- > > From: owner-freebsd-isp@freebsd.org > > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Mark Sergeant > > Sent: Monday, June 02, 2003 11:32 AM > > To: Wolfpaw - Dale Corse > > Cc: Support; isp@freebsd.org; security@freebsd.org > > Subject: RE: quick poppassd question > > > > > > Could we maybe drop it to 200ish as I know of many cases > where uid's > > aren't > 1000 for standard users. > > > > On Tue, 2003-06-03 at 01:33, Wolfpaw - Dale Corse wrote: > > > looks good to me :) > > > > > > D. > > > -------------------------------- > > > Dale Corse > > > System Administrator > > > Wolfpaw Services Inc. > > > http://www.wolfpaw.net > > > (780) 474-4095 > > > > > > > -----Original Message----- > > > > From: owner-freebsd-isp@freebsd.org > > > > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Support > > > > Sent: Monday, June 02, 2003 5:04 AM > > > > To: security@freebsd.org > > > > Cc: isp@freebsd.org > > > > Subject: quick poppassd question > > > > > > > > > > > > Hello, > > > > > > > > I did a quick change to the patched port of poppassd and am > > > > wondering if > > > > you think my code would introduce any potential problems. > > > > > > > > The idea is right after we check if the username exists, > > > > also check if the > > > > UID of that username is over 1000. I wanted to make sure > > that no one > > > > monkeys around with priveleged users once poppassd is running. > > -snip- > > > > -- > > Mark Sergeant > > SNSOnline Technical Services > > _______________________________________________ > > freebsd-isp@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" > > > >