----- Forwarded message from Sam Varshavchik <[EMAIL PROTECTED]> -----

Doug Clements writes:

>On Fri, Jul 18, 2003 at 09:47:14AM -0400, Sam Varshavchik wrote:
>>Known bug in the vpopmail module.  Try the vpopmail mailing list.
>>If vpopmail people do not fix this bug, I'll simply pull the vpopmail 
>>module out.  I don't want to deal with their bugs any more.
>I've seen this said many times for years now. vpopmail says it's a bug in 
>authdaemon, you say it's a bug in vpopmail. How specifically does vpopmail 
>act that is problematic for sqwebmail?

It fails to clear the buffer where the username is copied to.  Therefore, a 
subsequent authentication request for a username with fewer characters will 
get leftover crap appended to it, and the userid search against the database 
will fail.

By disabling authdaemon, they're hacking around the bug by starting a new 
process for each authentication request, with all memory cleared at startup.

There's nothing wrong with authdaemon.  LDAP, PostgreSQL, or MySQL 
authentication is rock solid.  Only vpopmail craps out, when using 
authdaemon.  It's a vpopmail bug.

This is the last time I'm going to address this issue.  They'll either have 
to fix this bug, or if I continue to get their bug reports, I'll just drop 
the whole vpopmail module.

And they also better do something about the broken permissions on the 
vpopmail library.  Not a week goes by without someone whining that linking 
against -lvpopmail fails.  That's because libvpopmail.a does not have group 
or world read permissions.

You want to know why's that?  That's because the administrator password to 
MySQL is hardcoded into the library, and some time ago someone correctly 
reported to Bugtraq that with vpopmail installed, anyone on the system can 
easily lift the admin password to MySQL out of libvpopmail.a.

So how was that fixed?  By removing read permissions on libvpopmail.a.  End 
result?  When building sqwebmail or courier-imap as non-root, the link 
against libvpopmail.a now fails.  And I get the bug reports caused by the 
broken security model of vpopmail.

----- End forwarded message -----

It looks like there's 2 main problems he's detailing. The first he details looks 
pretty darn obviously a bug. Can anyone comment on why this buffer isn't cleared, and 
why it hasn't been fixed?

I'm not sure how to address the library problem. I've come across it, and anyone who 
halfway knows what they're doing should know how to get around it, but we all 
(sqwebmail and vpopmail lists) still get people who have problems with it. This sounds 
fixable by the patch I just saw that keeps the authentication information in a 
seperate file. Are there any objections to doint this and relaxing the restrictions on 
the lib directory  (at least make it executable) and the actual library file (make it 
readable)? The hard-coded login information was the only valid reason I remember for 
having the lib permissions like that. Anyone?

I've never seen this problem really anaylzed and properly investigated on the vpopmail 

I really would like sqwebmail and vpopmail to work well together, it would be quite a 
shame to lose the interoperability over some bugs that should really be fixed 


Reply via email to