Clearly you have some sort of nasty security bug yourself... Directory
permissions are NOT the responsibility of the programmer. Sure things such
as mount, cron, etc all check for users and do permissions checking. If
your dumb enough to make some of these system-configuration programs
(vpopmail) open to the public, thats your issue. VPOPMAIL by default
secured my directory tree just fine, and i did even more for the directory
under it. You may want to check out if your chanign the directory
permissions ont he homedir
--
Mike
>From: "Alex W" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: security bug in vpopmail
>Date: Mon, 29 Jan 2001 00:53:58 -0500
>
>Hi,
>I have noticed a security bug in vpopmail.
>The first thing is the fact that we have to hard code the 'password' into
>the vmysql.h
>file before we compile vpopmail with the mysql=y option. That is bad.
>
>Secondly, and most importantly, ANY user on the system can go in
>/home/vpopmail/bin/
>and do a "strings vuserinfo".
>If you scroll up after doing the "strings vuserinfo",
>you should look for lines similar to these:
>dir = %s
>vpopmail
>secret
>root
>localhost
>
>the second line is the database name (vpopmail), the third line is the
>password (secret), the fourth line is
>the username (root) and the last line is the host (localhost).
>All this information is in CLEAR TEXT !
>
>That is terrible. I would suggest maybe encrypting it at compile time
>because I dont want users on my system
>to gain 'root' access to my MYSQL database.
>
>For now, the only alternative is to change the read permissions on all
>binaries found in /home/vpopmail/bin/
>
>That's all for now.
>Thanks
>
>== Alex ==
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
