quick poppassd question

Mon Jun 2 06:04:01 PDT 2003

Support wrote:
> Hello,
> 
> I did a quick change to the patched port of poppassd and am wondering if
> you think my code would introduce any potential problems.
> 
> The idea is right after we check if the username exists, also check if the
> UID of that username is over 1000. I wanted to make sure that no one
> monkeys around with priveleged users once poppassd is running.
> 
> So, the middle chunk of code is mine, everything else has been there
> before me.
> 
> What's the general feeling about the security of poppassd provided that
> users with valid passwords already have shell access to the system, and
> now nobody can try to change priveleged accounts' passwords?

I usually don't give pop user's shell access, unless they really need 
it.  That's just me though.

> --- cut ---
> 
>      if ((pw = getpwnam (user)) == NULL)
>      {
>           syslog (LOG_ERR, "Unknown user, %s", user);
>           sleep (5);
>           WriteToClient ("500 Old password is incorrect.");
>           exit(1);
>      }
> 
>      /* begin added code */
>      if ((pw->pw_uid) < 1001)
>      {
>           syslog (LOG_ERR, "Priveleged user, %s", user);
>           sleep (5);
>           WriteToClient ("500 Old password is incorrect.");

Wouldn't it be better to send a more descriptive error message back? 
Maybe something like "500 Denied for priveleged user"?

Eric

-- 
------------------------------------------------------------------
Eric Anderson	   Systems Administrator      Centaur Technology
Attitudes are contagious, is yours worth catching?
------------------------------------------------------------------