on 8/23/01 11:15 AM, Ken Jones at [EMAIL PROTECTED] spake:
> vpopmail-4.10.35 is available.
> This is a security fix.
>
> This is the first pre5.0 canidate. If no problems are
> found in the next week this will be the 5.0 release.
>
> Changes from 4.10.34 are:
>
> 1) vpopmail/lib directory is now owned by root
> and read/write/execute only by root.
>
> 2) vpopmail/lib/libvpopmail.a is also owned by
> root and read/write only by root.
>
> These changes make it impossible for non root
> users to compile programs which use the vpopmail
> library. This should restrict the ability for
> a regular user to create a vpopmail application
> and then core dump it to view the contents of
> the libvpopmail.a library, which includes the
> authentication information to databases,
> like mysql, oracle or ldap.
>
> Ken Jones
> inter7.com
Incidentally, you'll have to build courier-imap/sqwebmail as root, otherwise
I get this:
gcc -I/home/vpopmail/include -g -O2 -Wall -I.. -I./.. -o authvchkpw
modauthvchkpw.o libauthmod.a libauth.a ../md5/libmd5.a ../sha1/libsha1.a
-L/home/vpopmail/lib -lvpopmail -lm -lcrypt
/usr/bin/ld: cannot find -lvpopmail
collect2: ld returned 1 exit status
make[1]: *** [authvchkpw] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/var/src/courier-imap-1.3.10/authlib'
make: *** [all-recursive] Error 1
But these require a non-root user for configuring, so just run make and make
install as root.
Cheers,
Bill
