On Mon, Feb 23, 2004 at 09:56:49AM -0600, Jeremy Kitchen wrote: > > Because vpopmail is returning the wrong userid, so sqwebmail is running as > > root (uid=0) instead of the correct uid for that user? > > you would think, however, that this so-called flaw would be apparent in > other uses of vpopmail, such as qmail-pop3d, bincimap, etc..
vpopmail is a fragile and buggy application. Until recently, if you tried to perform two successive authentications, the second authentication would fail if the username was shorter than the first one, because a buffer was not being cleared. Hence it worked in some applications - start, open library, validate a user, quit - but not in others (like authdaemond, which hangs around to perform multiple authentications) qmail-pop3d forks a fresh authentication process for each login, so this particular bug would not be apparent. I can't speak for bincimap. The point is, it's quite possible for libvpopmail to be broken in a way which causes the problem seen; and if they won't put together a proper test suite, then you can choose either to live with its bugs, find and fix them yourself, or use something else. Regards, Brian.
