Timo Sirainen wrote:
On Sun, 2008-03-09 at 03:50 -0400, Adam McDougall wrote:
Mar 8 17:02:17 boomhauer dovecot: auth-worker(default): BUG: PASSV had
missing parameters
Thanks, I kept trying to figure out what caused this and then started
wondering about password escaping and found the security hole. I still
hadn't figured out what caused this though, until I realized that
passwords can have linefeeds as well which can cause this.
Mar 8 17:05:17 boomhauer dovecot: child 72819 (login) killed with signal 11
This still shouldn't happen though. I didn't try to reproduce this yet.
It's anyway quite difficult to get core dumps out of login processes.
I'm not sure if FreeBSD lets you do that in some special way, but there
are at least two things in the way:
1. Kernel thinks it's a setuid program, and setuid programs don't core
dump.
2. It's chrooted to a non-writable directory.
1. I could enable this:
# sysctl -d kern.sugid_coredump
kern.sugid_coredump: Enable coredumping set user/group ID processes
2. And add an absolute path infront of this that is world writable:
# sysctl kern.corefile
kern.corefile: %N.%P.boomhauer.core
Can you think of a way that I could force the issue to be reproduced
so I can get away with making these changes on less servers?
