quick poppassd question

Support support at netmint.com
Mon Jun 2 06:20:57 PDT 2003


> I usually don't give pop user's shell access, unless they really need
> it.  That's just me though.

You're absolutely right. Neither do I. I was speaking from the standpoint
of: if at least one user has shell access...

>
> > --- cut ---
> >
> >      if ((pw = getpwnam (user)) == NULL)
> >      {
> >           syslog (LOG_ERR, "Unknown user, %s", user);
> >           sleep (5);
> >           WriteToClient ("500 Old password is incorrect.");
> >           exit(1);
> >      }
> >
> >      /* begin added code */
> >      if ((pw->pw_uid) < 1001)
> >      {
> >           syslog (LOG_ERR, "Priveleged user, %s", user);
> >           sleep (5);
> >           WriteToClient ("500 Old password is incorrect.");
>
> Wouldn't it be better to send a more descriptive error message back?
> Maybe something like "500 Denied for priveleged user"?

Just wanted to let people infinitely try to guess the root password, if
they really wanted to.

How is most recent patched poppassd port security in general? Is doing the
UID comparison a potential problem? I'm trying to be as conservative as
possible with changes to code that runs as root and changes people's
passwords. :)

Andrew


More information about the freebsd-security mailing list