Date: Wed, 27 Oct 1999 11:42:02 -0400 From: Thomas Stromberg <tstromberg@rtci.com> To: Vadim Chekan <vadim@gc.lviv.ua>, freebsd-stable@freebsd.org Subject: Re: imap, postfix, freebsd (insert libc getpwent() hack). Message-ID: <38171D4A.E5352EA4@rtci.com> References: <38131DEA.63672F@dreamfire.net> <005901bf1e37$26aefce0$190aa8c0@local.mindstep.com> <3814311F.1A8A1E92@gc.lviv.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Vadim Chekan wrote:
>
> Patrick Bihan-Faou wrote:
> > However, I think that the CYRUS IMAP server is somewhat nicer than IMAP-UW.
> > Is anybody looking at updating the port ?
>
> I tryed to run it but there are a problem. New Cyrus uses PAM. But
> non-root user hasn't got permissions to athentificate user by pam_unix.
> I don't know is this a feature or bug. It's possible to use Curus's
> users database.
>
> Vadim Chekan.
We run a postfix+cyrus box here, and in sort, you'll have to wait for
the pwcheck module to be re-included in the 1.6.X series to really use
it inder FreeBSD I've found some other bugs/annoyances in 1.6.x, so
thats why we went back to 1.5.x.. However, if you really want to get
1.6.x to work under FreeBSD..
The culprit for the fowled authentication (-13) is this line in
/usr/src/lib/libc/gen/getpwent.c:
p = (geteuid()) ? _PATH_MP_DB : _PATH_SMP_DB;
What happens is the pam module (or if you tell it to use the shadow
type) tries to do getpwent() as a non-root user, and getpwent() then
hands it the password database file the has no passwords (/etc/pwd.db)
because it's euid is not 0. (It's cyrus).
The simple fix for it (the horrible hack we did) was to give getpwent()
a more SYSV mentality, and check if the process could open /etc/spwd.db,
otherwise, hand it /etc/pwd.db. I'm not altogether sure why this is not
the behaviour in BSD (while it is a little more secure, it does not lend
much to security). Then of course, you would change /etc/spwd.db so that
cyrus has read access to it. (not write).
Beware that every time the database is rebuilt you would have to re-give
permissions to cyrus to read the password database. Dealing with hacks
like this was a little too much for us, so we wimped out and went back
to 1.5.x.
The downside is if someone was to crack cyrus, they would get *READ
ACCESS* to the password file. But if you think about it, if someone was
to crack pwcheck running as root, they would get *ROOT ACCESS*.
--
======================================================================
thomas r. stromberg smtp://tstromberg@rtci.com
assistant is manager / systems guru http://thomas.stromberg.org
research triangle commerce, inc. finger://thomas@stromberg.org
'om mani padme hung' pots://1.919.380.9771:3210
----------------------------------------------------------------------
<geek> GPS $GCS d? s: a-- C+++ $UB++++ $US+++ $P++++ L- E- W++ N w-
V-- PE-- Y+ tv-- b+++ e h r G D-- $DI++ t+ rbt C B++ xi xw !D </geek>
================================================================[eof]=
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38171D4A.E5352EA4>