| 1 |
On Thu, Jul 21, 2005 at 12:28:31AM +0000, Casey Allen Shobe wrote: |
| 2 |
> > chsh has also been vetted for security problems a LOT more |
| 3 |
> > closely than vchkpw. I don't trust vchkpw with suid-root. |
| 4 |
> Then use suidctl? |
| 5 |
I do on my production machines. |
| 6 |
|
| 7 |
> > The postfix maintainers were asked about it once before, and the |
| 8 |
> > answer was that there wasn't enough demand for it. You're only |
| 9 |
> > the second person that's asked (that I am aware of). |
| 10 |
> ...and I'm not actually asking for it, though it would be nice to be |
| 11 |
> in the ebuild just for the sake of completeness. I don't actually |
| 12 |
> know anybody who uses postfix+vpopmail on the vpopmail list. |
| 13 |
For the sake of completeness and as an academic exercise, I'll accept |
| 14 |
tested patches for it ;-). |
| 15 |
|
| 16 |
> > This is decidedly not a good idea, unless vchkpw gets locked up |
| 17 |
> > more so that only specific things can run it (otherwise it can |
| 18 |
> > easily be used to brute-force passwords). |
| 19 |
> True. Would the best way to do that be to only give the vpopmail |
| 20 |
> group execute access to vchkpw, and then add qmail-smtpd to that |
| 21 |
> group, but still have vchkpw suid? |
| 22 |
On the vpopmail list in the distant past, I recall mention of the |
| 23 |
concept of an authentication server, so you could have vchkpw without |
| 24 |
any additional permissions. Nobody took it up at the time, and I never |
| 25 |
heard of it again. However it would be one of the best routes to solve |
| 26 |
this. Just implement the checkpassword interface on a socket, and be |
| 27 |
done with it. |
| 28 |
|
| 29 |
> It seems that su could be easily used to brute-force passwords, too, |
| 30 |
> but it's suid by default. |
| 31 |
Yes, but su does more logging than vchkpw ;-). |
| 32 |
|
| 33 |
> Maybe what is needed is an extension to suidctl where emerge checks |
| 34 |
> any installed binaries against things present in suidctl.conf that |
| 35 |
> *should* be made suid if they're listed in there even if they're |
| 36 |
> not suid by default? |
| 37 |
This is getting into cfengine territory (which can do exactly what |
| 38 |
you're asking for here). |
| 39 |
|
| 40 |
-- |
| 41 |
Robin Hugh Johnson |
| 42 |
E-Mail : robbat2@××××××××××××××.net |
| 43 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
| 44 |
ICQ# : 30269588 or 41961639 |
| 45 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives