Hello Jeremy, PMFJI ...
On Wednesday, February 8, 2006 at 2:00:54 AM Jeremy wrote: > On Tuesday 07 February 2006 09:39, Tom Collins wrote: >> On Feb 7, 2006, at 12:25 AM, ??? wrote: >> > exec /usr/local/bin/softlimit -m 2000000 \ >> > /usr/local/bin/tcpserver -v -R -H -l 0 0 110 \ >> >> For starters, try a higher softlimit (like 10000000). >> >> You should also include the user and group to run as (add -u89 -g89 to >> your tcpserver parameters) > even for pop3? doesn't vchkpw setuid() to the vpopmail user after > authenticating? Sure. But the earlier root privileges are dropped the more secure. Every process running as UID 0 is a potential security problem, every process not being run as root ever gives an attacker a little more distance to the aimed root-shell. And if you *know* your POP3-Daemon will always suid() to user 'vpopmail' *and* if you know pop3d doesn't need anything more then vpopmails permissions to authenticate all incoming requests: why risk the (admitted: very low) possibility somebody becoming root through pop3d? -- Best regards Peter Palmreuther Never try to outstubborn a cat... The cat will win! P.S.: I don't intend to say pop3d is insecure or has potential to become remotely hacked. But you never know the future and if you get used to run as less processes with UID 0 as possible chances raise you don't forget about this *when* is is necessary ;-)