Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sun, 17 Nov 2002 16:25:38 +0300
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: Mailbox symlink

On Sun, Nov 17, 2002 at 03:20:58PM +0200, Gil Disatnik wrote:

Hi,

> I am using popa3d that comes with slack-current (0.5.1).
> 
> /var/spool/mail/<username> is in fact a symlink to $HOME/Maildir.

You mean, to $HOME/Mailbox?

Yes, that won't work.  The reason I've added safety checks to popa3d's
mailbox opens is to defeat certain attacks possible specifically when
mailboxes are in user-writable directories (that is, when popa3d is
built with support for $HOME/Mailbox).  One such attack would be
symlinking $HOME/Mailbox to /dev/zero.

You really need to rebuild popa3d with support for $HOME/Mailbox, this
is an option in params.h.

As you're currently using the Slackware package, you need to choose
one of:

1. Modify the Slackware package to build popa3d with this option.

2. Build popa3d manually, install under /usr/local (that's where "make
install" would place it by default) and use that instead of the binary
provided with Slackware.

-- 
/sd

Powered by Openwall GNU/*/Linux - Powered by OpenVZ