unable to login
Wil Cooley
wcooley at nakedape.cc
Wed Jul 7 17:50:22 EDT 2004
On Wed, 2004-07-07 at 12:45, Mike Beattie wrote:
> And I hate to point out, but then, if a malicious user manages to find a
> flaw in cyrus they could hypothetically use that flaw to get a copy of
> /etc/shadow. (If I'm mistaken, *please* correct me)
>
> Only the second worst thing after actually getting a root shell, IMO.
Well, I suppose it's possible, but it's better than giving all SASL
applications read access to /etc/shadow, because there's far less code
to review and audit in saslauthd than Cyrus IMAP, Postfix, OpenLDAP,
etc. Not to mention that applications communicate with saslauthd over a
socket protocol, which one hopes goes to great lengths sanitize input.
Wil
--
Wil Cooley wcooley at nakedape.cc
Naked Ape Consulting http://nakedape.cc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20040707/bce5b5e1/attachment.bin
More information about the Info-cyrus
mailing list