> From: Robert L Mathews <[EMAIL PROTECTED]>
>
> I traced through the code and verified to my own satisfaction that the
> password can never be passed to the shell in the first case (user login).
> Therefore, I disabled the badstr() check in that case, and users can now
> login with their funky passwords.
Strange.... I did that and it still doesn't work. Here's my change in
webmail/auth.c::login:
if (badstr(uid)) /* || badstr(pass))*/
return (NULL);
I just commented out checking the password only.
> The second case (user changing password) is NOT safe to disable, as the
> password may be passed to the shell by password-changing modules. I left
> the badstr() check in place there.
Good point, potentially, but in reality PAM checks with cracklib, so where's
the security hole? Services should be modular and not distributed, right
(one of them being qualifying passwords)?
I also found password filtering in authlib/authdaemond.c::passwd() and
disabled that but still there's some checking somewhere else, I can't seem
to find (ver 0.37.2)
thanks for the help though!
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
