From owner-freebsd-stable Wed Oct 27 8:42:59 1999 Delivered-To: freebsd-stable@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id DA55315021 for ; Wed, 27 Oct 1999 08:42:55 -0700 (PDT) (envelope-from tstromberg@rtci.com) Received: from rtci.com (chenresig@karma.afterthought.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3/8.9.3) with ESMTP id LAA22917; Wed, 27 Oct 1999 11:42:46 -0400 (EDT) Message-ID: <38171D4A.E5352EA4@rtci.com> Date: Wed, 27 Oct 1999 11:42:02 -0400 From: Thomas Stromberg Organization: Research Triangle Consultants, Inc. X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: Vadim Chekan , freebsd-stable@freebsd.org Subject: Re: imap, postfix, freebsd (insert libc getpwent() hack). References: <38131DEA.63672F@dreamfire.net> <005901bf1e37$26aefce0$190aa8c0@local.mindstep.com> <3814311F.1A8A1E92@gc.lviv.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Vadim Chekan wrote: > > Patrick Bihan-Faou wrote: > > However, I think that the CYRUS IMAP server is somewhat nicer than IMAP-UW. > > Is anybody looking at updating the port ? > > I tryed to run it but there are a problem. New Cyrus uses PAM. But > non-root user hasn't got permissions to athentificate user by pam_unix. > I don't know is this a feature or bug. It's possible to use Curus's > users database. > > Vadim Chekan. We run a postfix+cyrus box here, and in sort, you'll have to wait for the pwcheck module to be re-included in the 1.6.X series to really use it inder FreeBSD I've found some other bugs/annoyances in 1.6.x, so thats why we went back to 1.5.x.. However, if you really want to get 1.6.x to work under FreeBSD.. The culprit for the fowled authentication (-13) is this line in /usr/src/lib/libc/gen/getpwent.c: p = (geteuid()) ? _PATH_MP_DB : _PATH_SMP_DB; What happens is the pam module (or if you tell it to use the shadow type) tries to do getpwent() as a non-root user, and getpwent() then hands it the password database file the has no passwords (/etc/pwd.db) because it's euid is not 0. (It's cyrus). The simple fix for it (the horrible hack we did) was to give getpwent() a more SYSV mentality, and check if the process could open /etc/spwd.db, otherwise, hand it /etc/pwd.db. I'm not altogether sure why this is not the behaviour in BSD (while it is a little more secure, it does not lend much to security). Then of course, you would change /etc/spwd.db so that cyrus has read access to it. (not write). Beware that every time the database is rebuilt you would have to re-give permissions to cyrus to read the password database. Dealing with hacks like this was a little too much for us, so we wimped out and went back to 1.5.x. The downside is if someone was to crack cyrus, they would get *READ ACCESS* to the password file. But if you think about it, if someone was to crack pwcheck running as root, they would get *ROOT ACCESS*. -- ====================================================================== thomas r. stromberg smtp://tstromberg@rtci.com assistant is manager / systems guru http://thomas.stromberg.org research triangle commerce, inc. finger://thomas@stromberg.org 'om mani padme hung' pots://1.919.380.9771:3210 ---------------------------------------------------------------------- GPS $GCS d? s: a-- C+++ $UB++++ $US+++ $P++++ L- E- W++ N w- V-- PE-- Y+ tv-- b+++ e h r G D-- $DI++ t+ rbt C B++ xi xw !D ================================================================[eof]= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message