unable to login

Wil Cooley wcooley at nakedape.cc
Wed Jul 7 17:50:22 EDT 2004

On Wed, 2004-07-07 at 12:45, Mike Beattie wrote:

> And I hate to point out, but then, if a malicious user manages to find a
> flaw in cyrus they could hypothetically use that flaw to get a copy of
> /etc/shadow. (If I'm mistaken, *please* correct me)
> Only the second worst thing after actually getting a root shell, IMO.

Well, I suppose it's possible, but it's better than giving all SASL
applications read access to /etc/shadow, because there's far less code
to review and audit in saslauthd than Cyrus IMAP, Postfix, OpenLDAP,
etc.  Not to mention that applications communicate with saslauthd over a
socket protocol, which one hopes goes to great lengths sanitize input.

Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.andrew.cmu.edu/mailman/private/info-cyrus/attachments/20040707/bce5b5e1/attachment.bin

More information about the Info-cyrus mailing list