>From a security perspective, checkpassword is very much like the 'su'
program. If a user/password matches, it changes to the permissions of
that user. The major difference is that checkpassword is normally not
setuid root - it inherits root, originally from tcpserver.
Similarly, checkpassword is very small and is quite careful about
giving out those permissions.
This makes me wonder - when setting up a POP service, is it better to:
a) have a relatively large and complex program like tcpserver run as
root, have it in turn run qmail-popup as root (admittedly a small
program) and finally run checkpassword as root.
or
b) have tcpserver run as a nobody, thus have qmail-popup run as a
nobody and have checkpassword setuid root so that it can change to the
permissions of the user?
The main risk I see in b) is that you provide yet another setuid
program to shell users - if you have them. checkpassword can of course
be partitioned off at the file system so that only the particular
'nobody' can run it.
Regards.
