---------- Forwarded message ---------- Date: Fri, 18 Jul 2003 15:37:20 -0400 Subject: [sqwebmail] Re: Sqwebmail Authorization 2
Doug Clements writes:
On Fri, Jul 18, 2003 at 09:47:14AM -0400, Sam Varshavchik wrote:Known bug in the vpopmail module. Try the vpopmail mailing list.
If vpopmail people do not fix this bug, I'll simply pull the vpopmail module out. I don't want to deal with their bugs any more.
I've seen this said many times for years now. vpopmail says it's a bug in authdaemon, you say it's a bug in vpopmail. How specifically does vpopmail act that is problematic for sqwebmail?
It fails to clear the buffer where the username is copied to. Therefore, a subsequent authentication request for a username with fewer characters will get leftover crap appended to it, and the userid search against the database will fail.
By disabling authdaemon, they're hacking around the bug by starting a new process for each authentication request, with all memory cleared at startup.
There's nothing wrong with authdaemon. LDAP, PostgreSQL, or MySQL authentication is rock solid. Only vpopmail craps out, when using authdaemon. It's a vpopmail bug.
This is the last time I'm going to address this issue. They'll either have to fix this bug, or if I continue to get their bug reports, I'll just drop the whole vpopmail module.
And they also better do something about the broken permissions on the vpopmail library. Not a week goes by without someone whining that linking against -lvpopmail fails. That's because libvpopmail.a does not have group or world read permissions.
You want to know why's that? That's because the administrator password to MySQL is hardcoded into the library, and some time ago someone correctly reported to Bugtraq that with vpopmail installed, anyone on the system can easily lift the admin password to MySQL out of libvpopmail.a.
So how was that fixed? By removing read permissions on libvpopmail.a. End result? When building sqwebmail or courier-imap as non-root, the link against libvpopmail.a now fails. And I get the bug reports caused by the broken security model of vpopmail.
pgp00000.pgp
Description: PGP signature
