Date: Mon, 02 Jun 2003 08:02:24 -0500 From: Eric Anderson <anderson@centtech.com> To: Support <support@netmint.com> Cc: freebsd-security@freebsd.org Subject: Re: quick poppassd question Message-ID: <3EDB4AE0.8060408@centtech.com> References: <20030602085600.B84160@alice.netmint.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Support wrote:
> Hello,
>
> I did a quick change to the patched port of poppassd and am wondering if
> you think my code would introduce any potential problems.
>
> The idea is right after we check if the username exists, also check if the
> UID of that username is over 1000. I wanted to make sure that no one
> monkeys around with priveleged users once poppassd is running.
>
> So, the middle chunk of code is mine, everything else has been there
> before me.
>
> What's the general feeling about the security of poppassd provided that
> users with valid passwords already have shell access to the system, and
> now nobody can try to change priveleged accounts' passwords?
I usually don't give pop user's shell access, unless they really need
it. That's just me though.
> --- cut ---
>
> if ((pw = getpwnam (user)) == NULL)
> {
> syslog (LOG_ERR, "Unknown user, %s", user);
> sleep (5);
> WriteToClient ("500 Old password is incorrect.");
> exit(1);
> }
>
> /* begin added code */
> if ((pw->pw_uid) < 1001)
> {
> syslog (LOG_ERR, "Priveleged user, %s", user);
> sleep (5);
> WriteToClient ("500 Old password is incorrect.");
Wouldn't it be better to send a more descriptive error message back?
Maybe something like "500 Denied for priveleged user"?
Eric
--
------------------------------------------------------------------
Eric Anderson Systems Administrator Centaur Technology
Attitudes are contagious, is yours worth catching?
------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EDB4AE0.8060408>