-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 29 May 00, at 8:52, Denise Williams wrote:
> solution: /bin/checkpassword needs to be suid'ed to root for those
> systems using shadow passwords.
Don't do that! You have just created a target for a dictionary attack;
suid /bin/checkpassword is /bin/su without bad attempts logging
(and with somewhat unusual interface).
If you definitely need to run /bin/checkpassword as root, it's
healthier to run tcpserver on port 25 as root (not as qmaild) and
drop root after checking name and password. It's still far from being
ideal, though.
On a PAMified system, you should be able to get away with it
without running code as root (root is neccessary to install the PAM
script in /etc/pam.d only).
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBOTJb5lMwP8g7qbw/EQKDCwCfYAjiqKwfaBU8AxRUu/rVcBBV88IAoIHO
0nw4CFMIbsIxi+OpMqRT8qvj
=Lh5Y
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
