Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sun, 30 Mar 2003 18:15:07 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: virtual.c another question

On Sun, Mar 30, 2003 at 07:42:35PM +0600, Boris Kovalenko wrote:
> Solar Designer wrote:
> >>>>Why to run other code if we already know that user is invalid? Why 
> >>>>lstat directory and try to open file for this "INVALID" user?
> >>>>
> >>>This is to reduce information leaks via timing.
> >
> >It's primarily whether a username corresponds to an existing mail
> >account or not.
> >
> Hmm...You do not find it too difficult?

No.

> And may be there is security hole?

I don't see one, besides this defense against timing analysis still
being imperfect due to properties of libc and the kernel.

> According to the code, we will check and read at least 
> VIRTUAL_HOME_PATH/IP/VIRTUAL_AUTH_PATH/INVALID (with default settings it 
> will be /vhome/ip/auth/INVALID).

Yes.  This is intentional.  It has to try some path, or the timings
would be different.

> Someone may use this knowlege to compromise the whole system,

How?

> or I'm paranoid?

Paranoia is fine, but yours appears to be broken so far. ;-)

> >I'm afraid these discussions on programming topics are of no use to
> >most popa3d-users subscribers.  If anyone is annoyed by them, please
> >let me know and I'll be bringing them off-list in the future.
> >
> I'm afraid too. But because I don't know your direct e-mail I need to 
> write to the list.

Haven't you read the docs?  Can't you read e-mail headers?

-- 
/sd

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux