Raboo Treed wrote:
hmm
well this patch was bad, cause it had some text-wrapping... I fixed that...
but still that patch doesn't work with the latest devel of vpopmail....
Does anyone have a working one with 5.3.29?
So if a "intruder" would get access as root or vpopmail user they wouldn't
use some vadduser binary to "insecure" your system...?? Or just maybe
someone would be able in some difficult way thru qmailadmin be able to
haxx0r your system just cause of the vadduser code is using system??
A root compromise of the system isn't the only thing one has to worry
about. I'd be pretty pissed if someone inserted something into my skel
that resulted in all of my email being duplicated and sent to someone
else. Using cp when you could just copy the files in C in a secure
manner is just silly. Its also less efficient, as an added bonus.
I think it's safe enough..
I don't know about this for sure, but for me it sounds pretty hard???
/Raboo
Exploitable just isn't safe enough. I've disagreed with Tom about the
level of paranoia required (see the password/salt generation thread),
but in this case he's absolutely right about requiring more than the
current patch supplies.
Cheers,
Nick Harring
Webley Systems
