On Friday 23 December 2005 02:22 pm, FX wrote:
> I don't see 'chmod 4755 vchkpw' at
> http://www.inter7.com/vpopmail/install.txt but I'm seeing it on various
> websites--are there added risks by doing this?

yes.  if you have local users on the system, they can now use vchkpw to 
attempt to brute force authenticate vpopmail account passwords.  Also, if 
vpopmail is configured to check /etc/passwd accounts, they can attempt to 
brute force these as well.

Also, if a vulnerability is discovered in vpopmail, the local user could 
potentially take advantage of the vulnerability to compromise the system.

Of course, this isn't limited to vpopmail, since high risks are taken any time 
you allow a binary to be run setuid.

One thing you could do to mitigate this is to make the vchkpw binary mode 
4750, and set the group to say.. vchkpw.  Then any user in the vchkpw group 
(which should not be many) can execute it, and users not in the group cannot.

> Basically, I'm wondering about this because I'm using
> netqmail-1.05+chkuser-2.08b+vpopmail and considering using
> CHKUSER_ENABLE_UIDGID feature of chkuser.

chkuser doesn't use vchkpw.  If you want to use chkuser, you either have to 
make your smtp service run as a user who can read the vpopmail domains, or 
make qmail-smtpd setuid (not a good idea, since there's absolutely zero 
reason for qmail-smtpd to be setuid)

> What do you recommend?

I recommend you tell us what you're trying to do, precisely, and we can make a 
recommendation :)  Also, you might pick up a book on UNIX security, so you 
can get a better understanding of how to run a secure UNIX system. :)  I've 
been meaning to get one for myself for a long time, so let me know if you 
find a good one ;)


Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.

Attachment: pgpYvB2eNUm4B.pgp
Description: PGP signature

Reply via email to