Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20030103012636.GA4066@openwall.com>
Date: Fri, 3 Jan 2003 04:26:36 +0300
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: Add (virtual) user perlscript

On Wed, Jan 01, 2003 at 03:54:32AM +0100, Tim van Erven wrote:
> I've written a simple perl script[1] to add users for popa3d when using
> the example database format for virtual domains as implemented in
> virtual.c.  It isn't very userfriendly in that it could be a security
> risk if directory permissions aren't set correctly.  However, it might
> be useful as a starting point for creating a custom setup.

Thanks.

I've added a link to it to the contributed resources list on the
popa3d homepage.  I'd like to also place it in contrib/ on my FTP (and
thus on all the mirrors), but before that you might want to fix two
things:

1. You have the auth files readable by group popa3d.  Why?  That
shouldn't be needed and only makes things worse in case of a user
popa3d compromise.

2. You set $virtual_mail_owner to user mail.  It would be safer to use
a dedicated pseudo-user (or better yet, a pseudo-user per domain, but
that may be harder to configure in your delivery agent).  The reason
it's not good to re-use user mail is that in this case popa3d is granted
a privilege it doesn't need: ability to access the entire global mail
spool.  Should there be a post-authentication vulnerability in popa3d,
it would now allow to destroy all mail on the system or, even worse,
place traps in /var/{spool/,}mail that would result in a subsequent
root compromise via other mail-related services you might have.  This
setup goes against the design of popa3d.

> See my mail to the debian-security mailing list[2] for a description of
> the setup I'm using it on.
> 
> Tim
> 
> 1. http://gene.wins.uva.nl/~talerven/software/
> 2. http://lists.debian.org/debian-security/2002/debian-security-200212/
>    msg00103.html (this should of course be on a single line) 

-- 
/sd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.