The fact of the matter is that once a user has root, they are in
complete
control anyway. A user with root access can access the memory used by
mysql, a user with root access can modify mysql to give him passwordless
access to the databases, etc. Another thing to keep in mind, is that
it's
trivial to send passwords to the mysql database automatically because
the
mysql server takes a cleartext password, which means that information
must
be stored somewhere. Encrypting it is not an option because if the
program
can decrypt it automatically, so can anyone else with the vpopmail API.
We, of course, are willing to accept any code modifications you might
make
for added security into the vpopmail source distribution. Again, anyone
who gains root on any system, with just basic knowledge, can easily do
anything, to any password protected system, because those password
protected
systems are based upon the idea that the user attempting to use them, is
not
root.
Alex W wrote:
>
> What happens when a user gains root access to a machine ? He can simply go
> and
> transfer the actual MYSQL database files to another machine... no prob...
> why go through
> all that work when the user can simply extract the username/pass from the
> binary, and then
> login to the database and view ALL the information in cleartext ???
>
> It's just a principle of hardcoding a password in a binary. I think it's
> wrong. You cant tell me that
> I'm dumb because the permissions are wrong. Permissions dont mean shit. And
> by the way, VPOPMAIL
> does not secure the directory by default. I checked it on a Linux system and
> FreeBSD and the permissions
> still seem to be 755 for /home/vpopmail/
> Responsibility or not, the fact is that the username/password is hardcoded
> in there and it shouldnt be.
>
> Regards,
> == Alex ==
>
> ----- Original Message -----
> From: "Mike Miller" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, January 31, 2001 5:46 PM
> Subject: Re: security bug in vpopmail
>
> >
> > Clearly you have some sort of nasty security bug yourself... Directory
> > permissions are NOT the responsibility of the programmer. Sure things
> such
> > as mount, cron, etc all check for users and do permissions checking. If
> > your dumb enough to make some of these system-configuration programs
> > (vpopmail) open to the public, thats your issue. VPOPMAIL by default
> > secured my directory tree just fine, and i did even more for the directory
> > under it. You may want to check out if your chanign the directory
> > permissions ont he homedir
> >
> > --
> > Mike
> >
> >
> > >From: "Alex W" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Subject: security bug in vpopmail
> > >Date: Mon, 29 Jan 2001 00:53:58 -0500
> > >
> > >Hi,
> > >I have noticed a security bug in vpopmail.
> > >The first thing is the fact that we have to hard code the 'password' into
> > >the vmysql.h
> > >file before we compile vpopmail with the mysql=y option. That is bad.
> > >
> > >Secondly, and most importantly, ANY user on the system can go in
> > >/home/vpopmail/bin/
> > >and do a "strings vuserinfo".
> > >If you scroll up after doing the "strings vuserinfo",
> > >you should look for lines similar to these:
> > >dir = %s
> > >vpopmail
> > >secret
> > >root
> > >localhost
> > >
> > >the second line is the database name (vpopmail), the third line is the
> > >password (secret), the fourth line is
> > >the username (root) and the last line is the host (localhost).
> > >All this information is in CLEAR TEXT !
> > >
> > >That is terrible. I would suggest maybe encrypting it at compile time
> > >because I dont want users on my system
> > >to gain 'root' access to my MYSQL database.
> > >
> > >For now, the only alternative is to change the read permissions on all
> > >binaries found in /home/vpopmail/bin/
> > >
> > >That's all for now.
> > >Thanks
> > >
> > >== Alex ==
> > >
> >
> > _________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> >
--
[EMAIL PROTECTED]
Inter7 Internet Technologies, Inc.
www.inter7.com - 847-492-0470
New prices! http://www.inter7.com/prices.html
