popa3d-users - Re: virtual.c another question

Openwall Project		/home Owl JtR Pro crypt pam_passwdqc tcb phpass scanlogd popa3d msulogin / Linux BIND / advisories presentations / services donations / wordlists passwords / community lists wiki CVSweb mirrors signatures
bringing security into open environments

This website is powered by Openwall GNU/*/Linux security-enhanced OS

[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]

Date: Sun, 30 Mar 2003 13:57:08 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtual.c another question

On Sun, Mar 30, 2003 at 01:29:38PM +0600, Boris Kovalenko wrote:

Hi,

> virtual.c/virtual_userpass
> fail = 0;
> if (!is_valid_user(user)) {
>      user = "INVALID";
>      fail = 1;
> }
> .... many other code
> 
> Why to run other code if we already know that user is invalid? Why lstat 
> directory and try to open file for this "INVALID" user?

This is to reduce information leaks via timing.

-- 
/sd