Tom Collins writes:

> This is an interesting point and I'd love to find a clean solution to 
> this issue.

I don't think you'll find a clean solution which doesn't involve set-id.
All the others are messy to administer, like a MySQL username per system
user or adding a special group to every user (do all *nixes handle that
well these days?)

How about this:

  1) An additional user and group, vpsql, used for absolutely no other 
  purpose (except perhaps as owner of vpopmail database).

  2) MySQL username and password in a file readable only by vpsql user
  and group, and writeable only by vpsql user (if that - most people
  will probably edit it as root).

  3) A very small utility that is setgid vpsql.  It does the following
  when passed a username and password to verify.

    a) Reads the information in the password file.

    b) Drops setgid so it can do nothing further with the password file.

    c) Connects to MySQL.

    e) Verifies mail username and password against database.

    f) Returns go or no-go.

I expect at least one person will poke holes in that somewhere, but I
think the general principle is correct.  Assuming you can drop setgid
reliably (and not have it resurrected by an exploit later) then it
ought to be safe.  It would need a very close code audit but there's
not going to be much code there to audit.

The overhead of an extra process invocation per authentication is 
undesirable but, I think, unavoidable.  You could just build it all
into vchkpw but then a code audit would be a lot harder.  Admittedly,
if you read the password file as the very first thing you do and drop
setgid as the very second thing you do then the rest ought not to
matter, but with a separate vpsql user/group/program there is far
less code containing possible exploits if somebody does know a way of
regaining setgid after dropping it.

Extending the idea to do allow qmailadmin and the like to modify user
details is a SMOP.  My preference would be for several utilies each
restricted to one task like authentication, get user info, write
user info rather than one big one that takes switches telling it
what to do.

Paul Allen
Softflare Support

Reply via email to