Date: Mon, 2 Jun 2003 09:33:07 -0600 From: "Wolfpaw - Dale Corse" <admin-lists@wolfpaw.net> To: "Support" <support@alice.netmint.com>, <security@freebsd.org> Cc: isp@freebsd.org Subject: RE: quick poppassd question Message-ID: <AJENJFOLCLAHHIIGCCHNEEABGMAA.admin-lists@wolfpaw.net> In-Reply-To: <20030602065847.G76644@alice.netmint.com>
next in thread | previous in thread | raw e-mail | index | archive | help
looks good to me :) D. -------------------------------- Dale Corse System Administrator Wolfpaw Services Inc. http://www.wolfpaw.net (780) 474-4095 > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Support > Sent: Monday, June 02, 2003 5:04 AM > To: security@freebsd.org > Cc: isp@freebsd.org > Subject: quick poppassd question > > > Hello, > > I did a quick change to the patched port of poppassd and am > wondering if > you think my code would introduce any potential problems. > > The idea is right after we check if the username exists, > also check if the > UID of that username is over 1000. I wanted to make sure that no one > monkeys around with priveleged users once poppassd is running. > > So, the middle chunk of code is mine, everything else has been there > before me. > > What's the general feeling about the security of poppassd > provided that > users with valid passwords already have shell access to the > system, and > now nobody can try to change priveleged accounts' passwords? > > --- cut --- > > if ((pw = getpwnam (user)) == NULL) > { > syslog (LOG_ERR, "Unknown user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > /* begin added code */ > if ((pw->pw_uid) < 1001) > { > syslog (LOG_ERR, "Priveleged user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > /* end added code */ > > if (chkPass (user, oldpass, pw) == FAILURE) > { > syslog (LOG_ERR, "Incorrect password from %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > --- cut --- > > Perhaps if this passes everyone's scrutiny, it could be added as yet > another patch to poppassd with the min UID defined somewhere in the > Makefile or poppassd.c. > > Thanks for your help, > > Andrew > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to > "freebsd-isp-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AJENJFOLCLAHHIIGCCHNEEABGMAA.admin-lists>