Hello,
I did a quick change to the patched port of poppassd and am wondering if
you think my code would introduce any potential problems.
The idea is right after we check if the username exists, also check if the
UID of that username is over 1000. I wanted to make sure that no one
monkeys around with priveleged users once poppassd is running.
So, the middle chunk of code is mine, everything else has been there
before me.
What's the general feeling about the security of poppassd provided that
users with valid passwords already have shell access to the system, and
now nobody can try to change priveleged accounts' passwords?
--- cut ---
if ((pw = getpwnam (user)) == NULL)
{
syslog (LOG_ERR, "Unknown user, %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
/* begin added code */
if ((pw->pw_uid) < 1001)
{
syslog (LOG_ERR, "Priveleged user, %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
/* end added code */
if (chkPass (user, oldpass, pw) == FAILURE)
{
syslog (LOG_ERR, "Incorrect password from %s", user);
sleep (5);
WriteToClient ("500 Old password is incorrect.");
exit(1);
}
--- cut ---
Perhaps if this passes everyone's scrutiny, it could be added as yet
another patch to poppassd with the min UID defined somewhere in the
Makefile or poppassd.c.
Thanks for your help,
Andrew
Support wrote:> Hello, > > I did a quick change to the patched port of poppassd and am wondering if > you think my code would introduce any potential problems. > > The idea is right after we check if the username exists, also check if the > UID of that username is over 1000. I wanted to make sure that no one > monkeys around with priveleged users once poppassd is running. > > So, the middle chunk of code is mine, everything else has been there > before me. > > What's the general feeling about the security of poppassd provided that > users with valid passwords already have shell access to the system, and > now nobody can try to change priveleged accounts' passwords?I usually don't give pop user's shell access, unless they really need it. That's just me though.> --- cut --- > > if ((pw = getpwnam (user)) == NULL) > { > syslog (LOG_ERR, "Unknown user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect."); > exit(1); > } > > /* begin added code */ > if ((pw->pw_uid) < 1001) > { > syslog (LOG_ERR, "Priveleged user, %s", user); > sleep (5); > WriteToClient ("500 Old password is incorrect.");Wouldn't it be better to send a more descriptive error message back? Maybe something like "500 Denied for priveleged user"? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------
++ 02/06/03 11:49 -0400 - Troy Settle: | Perhaps someone can shed more light on the subject, but it's my | impression that most system process run with a UID/GID under 100. So a | uid < 100 should deny the change request. UIDs up to and including 999 are reserved for system use. For example, see this section in the porters handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/dads-uid.html --pete
On Mon, Jun 02, 2003 at 10:50:38AM -0600, Wolfpaw - Dale Corse wrote:> > Perhaps someone can shed more light on the subject, but it's my > > impression that most system process run with a UID/GID > > under 100. So a > > uid < 100 should deny the change request. > > Perhaps, though the trend is running most things as non-priv > users, because it minimizes the damage to the server if a > process is compromised. Generally "non-system" accounts seem > to start at 1000 (BSD, and most Linux), or 500 (notably Redhat) > so.. you may want to use 500 as the magic number for portability > reasons.Make it configurable!!! Set a default but don't make hard coded assumptions about someone else's systems. On FreeBSD, the default should probably be 1000. make NON_SYSTEM_ACCT_START=4321
[ cc list trimmed some ] ++ 02/06/03 10:56 -0600 - Wolfpaw - Dale Corse: | In freebsd.. and most other things.. but some *cough* large corporate | linux distro's *cough*redhat*cough* ignore such defaco standards.. we | must consider portability especially if the patch will be submitted | for integration into the package..no? :) Right, so in config.h (or wherever), '#define MAX_SYSTEM_UID 999' and allow people to tweak it. --pete