[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Which POP3 server to use? - clarification



On Sun, Oct 07, 2001 at 01:42:08PM -0400, Doug Fields wrote:
> Here is the big problem I'm facing:
> 
> The various POP daemons (qpopper, solid-pop3d, etc.) all use the getpwnam 
> function to get information about the user.
> 
> My user "accounts" do not exist in the NSS/getpwnam environment. They only 
> exist in a list of usernames/passwords and a list of files in a directory.

They all need it for at least one reason:

to change into the usename once auth is successful. This means any
exploits that happen at that point only happen as that user

If you already do have a list of usernames and passwds on the box, why
not utilise /etc/passwd for it? Just fill in the needless things as
blanks or /bin/false so that they are more or less useless for other
things.

For extra security you can have something that goes around and kills off
processes that are not the pop server and which are owned by those users
(extra paranoia doesn't hurt).

If you don't want to do this then the only thing that I can recommend is
to use a pop3 client that supports vhosts. While I've never used one and
couldn't name one if I wanted to I -think- that they'll do what you need
them to do...

-- 
CaT        "As you can expect it's really affecting my sex life. I can't help
           it. Each time my wife initiates sex, these ejaculating hippos keep
           floating through my mind."
                - Mohd. Binatang bin Goncang, Singapore Zoological Gardens



Reply to: