At 2/25/02 2:14 PM, marc lindahl wrote: >Strange.... I did that and it still doesn't work. Here's my change in >webmail/auth.c::login: > > if (badstr(uid)) /* || badstr(pass))*/ > return (NULL); > >I just commented out checking the password only.
That's the exact change I made (at line 259) and it solved the problem, so it should work for you. Check that you've recompiled/reinstalled properly. >> The second case (user changing password) is NOT safe to disable, as the >> password may be passed to the shell by password-changing modules. I left >> the badstr() check in place there. > >Good point, potentially, but in reality PAM checks with cracklib, so where's >the security hole? Services should be modular and not distributed, right >(one of them being qualifying passwords)? I only traced through the code for password checking and verified that the "pass" variable is never made available to the shell after being run through badstr(), so the check there is (in my opinion) not needed. But during password *changing* (the second badstr call in auth.c), there's a whole different code path I didn't check, and I can only repeat the warning Sam gave me that some modules can potentially make those characters available to the shell. -- Robert L Mathews, Tiger Technologies "The trouble with doing something right the first time is that nobody appreciates how difficult it was." _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
