75 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: webmail doesn...| From | Sent On | Attachments |
|---|---|---|
| M.B. | Feb 15, 2002 8:25 pm | |
| Sam Varshavchik | Feb 15, 2002 9:00 pm | |
| Juha Saarinen | Feb 15, 2002 9:13 pm | |
| M.B. | Feb 16, 2002 12:37 am | |
| M.B. | Feb 16, 2002 12:51 am | |
| Juha Saarinen | Feb 16, 2002 1:34 am | |
| M.B. | Feb 16, 2002 1:37 am | |
| Juha Saarinen | Feb 16, 2002 1:41 am | |
| M.B. | Feb 16, 2002 2:28 am | |
| M.B. | Feb 16, 2002 2:30 am | |
| Sam Varshavchik | Feb 16, 2002 6:38 am | |
| William Rowden | Feb 16, 2002 9:31 am | |
| M.B. | Feb 16, 2002 4:05 pm | |
| Sam Varshavchik | Feb 16, 2002 4:39 pm | |
| M.B. | Feb 16, 2002 7:11 pm | |
| M.B. | Feb 16, 2002 7:29 pm | |
| Tucker | Feb 16, 2002 7:42 pm | |
| Sam Varshavchik | Feb 16, 2002 7:49 pm | |
| M.B. | Feb 16, 2002 7:55 pm | |
| M.B. | Feb 16, 2002 7:57 pm | |
| Sam Varshavchik | Feb 16, 2002 8:06 pm | |
| M.B. | Feb 17, 2002 8:57 am | |
| M.B. | Feb 17, 2002 9:02 am | |
| M.B. | Feb 17, 2002 10:23 am | |
| Sam Varshavchik | Feb 17, 2002 12:32 pm | |
| M.B. | Feb 17, 2002 3:23 pm | |
| M.B. | Feb 17, 2002 3:53 pm | |
| M.B. | Feb 17, 2002 7:53 pm | |
| Juha Saarinen | Feb 17, 2002 8:09 pm | |
| M.B. | Feb 17, 2002 8:28 pm | |
| M.B. | Feb 17, 2002 8:44 pm | |
| David M. Stowell | Feb 17, 2002 9:07 pm | |
| Sam Varshavchik | Feb 17, 2002 9:19 pm | |
| Juha Saarinen | Feb 17, 2002 10:21 pm | |
| Juha Saarinen | Feb 17, 2002 10:24 pm | |
| David M. Stowell | Feb 17, 2002 10:29 pm | |
| David M. Stowell | Feb 17, 2002 10:32 pm | |
| M.B. | Feb 17, 2002 11:17 pm | |
| M.B. | Feb 17, 2002 11:22 pm | |
| M.B. | Feb 18, 2002 12:53 am | |
| Sysop | Feb 18, 2002 8:28 am | |
| William Rowden | Feb 18, 2002 11:34 am | |
| M.B. | Feb 18, 2002 3:42 pm | |
| David M. Stowell | Feb 18, 2002 4:49 pm | |
| M.B. | Feb 18, 2002 5:15 pm | |
| David M. Stowell | Feb 18, 2002 5:26 pm | |
| M.B. | Feb 18, 2002 7:21 pm | |
| David M. Stowell | Feb 18, 2002 7:45 pm | |
| Juha Saarinen | Feb 18, 2002 8:09 pm | |
| Sam Varshavchik | Feb 18, 2002 8:41 pm | |
| marc lindahl | Feb 20, 2002 12:19 am | |
| marc lindahl | Feb 22, 2002 6:16 am | |
| Anand Buddhdev | Feb 22, 2002 6:28 am | |
| marc lindahl | Feb 22, 2002 8:23 am | |
| marc lindahl | Feb 22, 2002 8:44 am | |
| Juha Saarinen | Feb 22, 2002 11:36 am | |
| M.B. | Feb 23, 2002 11:55 pm | |
| Jan Lange | Feb 24, 2002 5:06 am | |
| marc lindahl | Feb 24, 2002 10:10 am | |
| marc lindahl | Feb 24, 2002 10:16 am | |
| marc lindahl | Feb 24, 2002 1:38 pm | |
| Sam Varshavchik | Feb 24, 2002 1:46 pm | |
| Anand Buddhdev | Feb 24, 2002 2:07 pm | |
| marc lindahl | Feb 24, 2002 2:31 pm | |
| Sam Varshavchik | Feb 24, 2002 2:45 pm | |
| Juha Saarinen | Feb 24, 2002 2:53 pm | |
| marc lindahl | Feb 24, 2002 2:59 pm | |
| Anand Buddhdev | Feb 24, 2002 5:40 pm | |
| marc lindahl | Feb 24, 2002 6:13 pm | |
| Francois PHILIPPO | Feb 24, 2002 11:59 pm | |
| Sam Varshavchik | Feb 25, 2002 4:35 am | |
| Robert L Mathews | Feb 25, 2002 12:03 pm | |
| marc lindahl | Feb 25, 2002 2:14 pm | |
| Robert L Mathews | Feb 25, 2002 3:23 pm | |
| marc lindahl | Mar 4, 2002 3:11 am |
| Subject: | Re: [courier-users] Re: webmail doesn't like asterisk in password? | |
|---|---|---|
| From: | Robert L Mathews (lis...@tigertech.com) | |
| Date: | Feb 25, 2002 3:23:41 pm | |
| List: | net.sourceforge.lists.courier-users | |
At 2/25/02 2:14 PM, marc lindahl wrote:
Strange.... I did that and it still doesn't work. Here's my change in webmail/auth.c::login:
if (badstr(uid)) /* || badstr(pass))*/ return (NULL);
I just commented out checking the password only.
That's the exact change I made (at line 259) and it solved the problem, so it should work for you. Check that you've recompiled/reinstalled properly.
The second case (user changing password) is NOT safe to disable, as the password may be passed to the shell by password-changing modules. I left the badstr() check in place there.
Good point, potentially, but in reality PAM checks with cracklib, so where's the security hole? Services should be modular and not distributed, right (one of them being qualifying passwords)?
I only traced through the code for password checking and verified that the "pass" variable is never made available to the shell after being run through badstr(), so the check there is (in my opinion) not needed.
But during password *changing* (the second badstr call in auth.c), there's a whole different code path I didn't check, and I can only repeat the warning Sam gave me that some modules can potentially make those characters available to the shell.
-- Robert L Mathews, Tiger Technologies
"The trouble with doing something right the first time is that nobody appreciates how difficult it was."