tpop3d-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tpop3d-discuss] Make tpop3d not run as root, and send another banne

From: Chris Elsworth
Subject: Re: [tpop3d-discuss] Make tpop3d not run as root, and send another banner..
Date: Fri, 9 Aug 2002 16:24:25 +0100
User-agent: Mutt/1.5.1i 
On Mon, Aug 05, 2002 at 02:17:21PM +0100, Chris Lightfoot wrote:
> On Mon, Aug 05, 2002 at 09:45:08AM -0300, Davi Arnaut wrote:
> > Some of you, like me, which runs tpop3d with auth on mysql,
> > and all mailspool under the same uid/gid, and wonder why
> > tpop3d still runs under root uid, this is a patch to
> > make tpop3d run under the uid of the mailspool, droping root
> > privileges, making tpop3d more secure.
> 
> That's a good idea. I'll put a non-hard-coded version
> in the `to do' list for the next version....
> 
> 
> > And this if for those who, for security reasons, want
> > to change the tpop3d "banner" for something else..
> > 
> > On around line 128 if connection.c change:
> > 
> > if (!connection_sendresponse(c, 1, c->timestamp)) {
> > to:
> > if (!connection_sendresponse(c, 1, _("Pop3 Hello World!"))) {
> > 
> > It should be like this:
> > 
> > c->idlesince = time(NULL);
> > if (!connection_sendresponse(c, 1, _("Hello World!")) ) {
> > log_print(LOG_ERR, "connection_new: could not s......
> > goto fail; }
> 
> Hmm. One consequence of this is that APOP logins can't
> work -- they depend on the existence of a bracketed
> timestamp string.

A couple of sacrifices like this are more than acceptable, I think, in
order to gain increased security. The option is there, if you don't
use APOP, then you may wish to use it :) I wouldn't say its a reason
not to put it in, though.

-- 
Chris
reply via email to
[Prev in Thread] Current Thread [Next in Thread]