On Fri, Jul 25, 2003 at 06:23:45PM -0700, Jason wrote:
> OK, So I recompile sqwebmail without authdaemond then how do I authenticate
> my users?
sqwebmail will link in the authentication modules it requires directly,
rather than going via authdaemond.
> I don't understand how this is a vpopmail problem since my users
> who authenticate using an MUA such as Outlook Express do not have any
> problems whatsoever. It's just with sqwebmail that authentication fails
> even when my users use the correct login and password.
What application does your MUA talk to? I guess it is something which starts
a new process for every connection.
The bug in vpopmail is that it does not re-initialise its buffers properly
when you make a second authentication request from the same process. Sam
explained the problem thoroughly, see attached message.
It sounds like a 2-second fix, but as I don't use vpopmail myself I'm not
inclined to go digging round their code to fix it.
Regards,
Brian.
--- Begin Message ---
Doug Clements writes:
On Fri, Jul 18, 2003 at 09:47:14AM -0400, Sam Varshavchik wrote:
Known bug in the vpopmail module. Try the vpopmail mailing list.
If vpopmail people do not fix this bug, I'll simply pull the vpopmail
module out. I don't want to deal with their bugs any more.
I've seen this said many times for years now. vpopmail says it's a bug in authdaemon, you say it's a bug in vpopmail. How specifically does vpopmail act that is problematic for sqwebmail?
It fails to clear the buffer where the username is copied to. Therefore, a
subsequent authentication request for a username with fewer characters will
get leftover crap appended to it, and the userid search against the database
will fail.
By disabling authdaemon, they're hacking around the bug by starting a new
process for each authentication request, with all memory cleared at startup.
There's nothing wrong with authdaemon. LDAP, PostgreSQL, or MySQL
authentication is rock solid. Only vpopmail craps out, when using
authdaemon. It's a vpopmail bug.
This is the last time I'm going to address this issue. They'll either have
to fix this bug, or if I continue to get their bug reports, I'll just drop
the whole vpopmail module.
And they also better do something about the broken permissions on the
vpopmail library. Not a week goes by without someone whining that linking
against -lvpopmail fails. That's because libvpopmail.a does not have group
or world read permissions.
You want to know why's that? That's because the administrator password to
MySQL is hardcoded into the library, and some time ago someone correctly
reported to Bugtraq that with vpopmail installed, anyone on the system can
easily lift the admin password to MySQL out of libvpopmail.a.
So how was that fixed? By removing read permissions on libvpopmail.a. End
result? When building sqwebmail or courier-imap as non-root, the link
against libvpopmail.a now fails. And I get the bug reports caused by the
broken security model of vpopmail.
pgp00000.pgp
Description: PGP signature
--- End Message ---
