----- Forwarded message from Sam Varshavchik <[EMAIL PROTECTED]> -----
Doug Clements writes: >On Fri, Jul 18, 2003 at 09:47:14AM -0400, Sam Varshavchik wrote: >>Known bug in the vpopmail module. Try the vpopmail mailing list. >> >>If vpopmail people do not fix this bug, I'll simply pull the vpopmail >>module out. I don't want to deal with their bugs any more. > >I've seen this said many times for years now. vpopmail says it's a bug in >authdaemon, you say it's a bug in vpopmail. How specifically does vpopmail >act that is problematic for sqwebmail? It fails to clear the buffer where the username is copied to. Therefore, a subsequent authentication request for a username with fewer characters will get leftover crap appended to it, and the userid search against the database will fail. By disabling authdaemon, they're hacking around the bug by starting a new process for each authentication request, with all memory cleared at startup. There's nothing wrong with authdaemon. LDAP, PostgreSQL, or MySQL authentication is rock solid. Only vpopmail craps out, when using authdaemon. It's a vpopmail bug. This is the last time I'm going to address this issue. They'll either have to fix this bug, or if I continue to get their bug reports, I'll just drop the whole vpopmail module. And they also better do something about the broken permissions on the vpopmail library. Not a week goes by without someone whining that linking against -lvpopmail fails. That's because libvpopmail.a does not have group or world read permissions. You want to know why's that? That's because the administrator password to MySQL is hardcoded into the library, and some time ago someone correctly reported to Bugtraq that with vpopmail installed, anyone on the system can easily lift the admin password to MySQL out of libvpopmail.a. So how was that fixed? By removing read permissions on libvpopmail.a. End result? When building sqwebmail or courier-imap as non-root, the link against libvpopmail.a now fails. And I get the bug reports caused by the broken security model of vpopmail. ----- End forwarded message ----- It looks like there's 2 main problems he's detailing. The first he details looks pretty darn obviously a bug. Can anyone comment on why this buffer isn't cleared, and why it hasn't been fixed? I'm not sure how to address the library problem. I've come across it, and anyone who halfway knows what they're doing should know how to get around it, but we all (sqwebmail and vpopmail lists) still get people who have problems with it. This sounds fixable by the patch I just saw that keeps the authentication information in a seperate file. Are there any objections to doint this and relaxing the restrictions on the lib directory (at least make it executable) and the actual library file (make it readable)? The hard-coded login information was the only valid reason I remember for having the lib permissions like that. Anyone? I've never seen this problem really anaylzed and properly investigated on the vpopmail side. I really would like sqwebmail and vpopmail to work well together, it would be quite a shame to lose the interoperability over some bugs that should really be fixed regardless. --Doug
