unable to login

[Rob Siemborski]

On Wed, 7 Jul 2004, Wil Cooley wrote:

> On Wed, 2004-07-07 at 12:45, Mike Beattie wrote:
>
> > And I hate to point out, but then, if a malicious user manages to find a
> > flaw in cyrus they could hypothetically use that flaw to get a copy of
> > /etc/shadow. (If I'm mistaken, *please* correct me)
> >
> > Only the second worst thing after actually getting a root shell, IMO.
>
> Well, I suppose it's possible, but it's better than giving all SASL
> applications read access to /etc/shadow, because there's far less code
> to review and audit in saslauthd than Cyrus IMAP, Postfix, OpenLDAP,
> etc.  Not to mention that applications communicate with saslauthd over a
> socket protocol, which one hopes goes to great lengths sanitize input.

Wil nailed it dead on.  At some level, *something* is going to have to
read /etc/shadow if that is how you are doing your authentication.

Saslauthd limits the amount of code that needs to access that file (and
thus the amount of code to verify).

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html