[sqwebmail] Re: sqwebpasswd installation bug - Brian Candler - net.sourceforge.lists.courier-sqwebmail

3 messages in net.sourceforge.lists.courier-sqwebmail[sqwebmail] Re: sqwebpasswd installat...

From	Sent On	Attachments
Brian Candler	Apr 23, 2005 3:33 am
Sam Varshavchik	Apr 23, 2005 5:16 am
Brian Candler	Apr 23, 2005 6:35 am

	Permalink for this message Paste this link in email or IM:
	Permalink for this thread Paste this link in email or IM:
	Atom feed for this thread Paste this URL into your reader:

Subject:	[sqwebmail] Re: sqwebpasswd installation bug	Actions...
From:	Brian Candler (B.Ca...@pobox.com)
Date:	Apr 23, 2005 6:35:13 am
List:	net.sourceforge.lists.courier-sqwebmail

On Sat, Apr 23, 2005 at 12:33:53PM +0200, Brian Candler wrote:

It does seem to me that sqwebpasswd is something of a system security hole, as it's unprotected and can bump you up into the wheel group (currently), or the mail group (when this bug is fixed).

Hmm, it's not a big deal after all - the only thing you can do with it is to send a change password request to authdaemond, since the 'PASSWD ' prefix is always added.

There is a five-second delay on failed requests to make it harder to do dictionary attacks against passwords. However, nothing stops you running (say) 100 dictionary attack processes concurrently, which will let you check 20 passwords per second, or 1.73m passwords per day,

Anyway, the point about it being installed sgid wheel still applies.

Regards,

Brian.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets
	Permalink to these results Paste this link in email or IM:
	Atom feed for tracking future search results Paste this URL into your reader: