----- Forwarded message from Sam Varshavchik <[EMAIL PROTECTED]> -----
Doug Clements writes:
>On Fri, Jul 18, 2003 at 09:47:14AM -0400, Sam Varshavchik wrote:
>>Known bug in the vpopmail module. Try the vpopmail mailing list.
>>If vpopmail people do not fix this bug, I'll simply pull the vpopmail
>>module out. I don't want to deal with their bugs any more.
>I've seen this said many times for years now. vpopmail says it's a bug in
>authdaemon, you say it's a bug in vpopmail. How specifically does vpopmail
>act that is problematic for sqwebmail?
It fails to clear the buffer where the username is copied to. Therefore, a
subsequent authentication request for a username with fewer characters will
get leftover crap appended to it, and the userid search against the database
By disabling authdaemon, they're hacking around the bug by starting a new
process for each authentication request, with all memory cleared at startup.
There's nothing wrong with authdaemon. LDAP, PostgreSQL, or MySQL
authentication is rock solid. Only vpopmail craps out, when using
authdaemon. It's a vpopmail bug.
This is the last time I'm going to address this issue. They'll either have
to fix this bug, or if I continue to get their bug reports, I'll just drop
the whole vpopmail module.
And they also better do something about the broken permissions on the
vpopmail library. Not a week goes by without someone whining that linking
against -lvpopmail fails. That's because libvpopmail.a does not have group
or world read permissions.
You want to know why's that? That's because the administrator password to
MySQL is hardcoded into the library, and some time ago someone correctly
reported to Bugtraq that with vpopmail installed, anyone on the system can
easily lift the admin password to MySQL out of libvpopmail.a.
So how was that fixed? By removing read permissions on libvpopmail.a. End
result? When building sqwebmail or courier-imap as non-root, the link
against libvpopmail.a now fails. And I get the bug reports caused by the
broken security model of vpopmail.
----- End forwarded message -----
It looks like there's 2 main problems he's detailing. The first he details looks
pretty darn obviously a bug. Can anyone comment on why this buffer isn't cleared, and
why it hasn't been fixed?
I'm not sure how to address the library problem. I've come across it, and anyone who
halfway knows what they're doing should know how to get around it, but we all
(sqwebmail and vpopmail lists) still get people who have problems with it. This sounds
fixable by the patch I just saw that keeps the authentication information in a
seperate file. Are there any objections to doint this and relaxing the restrictions on
the lib directory (at least make it executable) and the actual library file (make it
readable)? The hard-coded login information was the only valid reason I remember for
having the lib permissions like that. Anyone?
I've never seen this problem really anaylzed and properly investigated on the vpopmail
I really would like sqwebmail and vpopmail to work well together, it would be quite a
shame to lose the interoperability over some bugs that should really be fixed