Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20030104003305.GA10416@mould.vormig.net>
Date: Sat, 4 Jan 2003 01:33:05 +0100
From: Tim van Erven <tve@...mig.net>
To: popa3d-users@...ts.openwall.com
Subject: Re: Add (virtual) user perlscript

On Fri, 03/01/2003 04:26 +0300, Solar Designer wrote:
> On Wed, Jan 01, 2003 at 03:54:32AM +0100, Tim van Erven wrote:
>> I've written a simple perl script[1] to add users for popa3d when using

...
 
> I've added a link to it to the contributed resources list on the
> popa3d homepage.  I'd like to also place it in contrib/ on my FTP (and
> thus on all the mirrors), but before that you might want to fix two
> things:
> 
> 1. You have the auth files readable by group popa3d.  Why?  That
> shouldn't be needed and only makes things worse in case of a user
> popa3d compromise.
> 
> 2. You set $virtual_mail_owner to user mail.  It would be safer to use
> a dedicated pseudo-user (or better yet, a pseudo-user per domain, but
> that may be harder to configure in your delivery agent).  The reason
> it's not good to re-use user mail is that in this case popa3d is granted
> a privilege it doesn't need: ability to access the entire global mail
> spool.  Should there be a post-authentication vulnerability in popa3d,
> it would now allow to destroy all mail on the system or, even worse,
> place traps in /var/{spool/,}mail that would result in a subsequent
> root compromise via other mail-related services you might have.  This
> setup goes against the design of popa3d.

Should be fixed in version 1.1, which is available from my website. It
also contains a few other improvements.  See the changelog[2] for
details.

>> 1. http://gene.wins.uva.nl/~talerven/software/
2. http://gene.wins.uva.nl/~talerven/software/add-popa3d-user/changelog

-- 
Tim van Erven <tve@...mig.net>
OpenPGP Key ID: 712CB811        Fingerprint: F6C9 61EE 242C C012 36D5
WWW: http://www.science.uva.nl/~talerven/    BBF8 6310 D557 712C B811

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.