LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   checkpassword only works as root, authentication with spamdyke, qmail (https://www.linuxquestions.org/questions/linux-server-73/checkpassword-only-works-as-root-authentication-with-spamdyke-qmail-756686/)

dbj 09-21-2009 02:15 AM

checkpassword only works as root, authentication with spamdyke, qmail
 
You can test checkpassword with

printf "%s\0%s\0%s\0" user password Y123456 | /usr/bin/checkpassword id 3<&0

But it only gives the right result when you are root. Why ?
I have set spamdyke to use checkpassword
smtp-auth-command=/usr/bin/checkpassword /bin/true

I think that is a problem when running "/etc/init.d/qmail start". I have

...
rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf"
...
...
sh -c "start-stop-daemon --start --quiet --user qmaild \
--pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \
--exec /usr/bin/tcpserver -- -R -H \
-u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 smtp \
$rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \
| $logger &"


I am not an expert but it seems to work if `id -u mails` is replaced with
`id -u root`

Ok, but from a security aspect is that the right solution?
I mean qmail-smtpd will run as root which is not as intended.

neonsignal 10-15-2009 12:57 AM

Quote:

printf "%s\0%s\0%s\0" user password Y123456 | /usr/bin/checkpassword id 3<&0

But it only gives the right result when you are root. Why ?
Because checkpassword only has access to the shadow password database if it is run as root. Some programs that require access to the database are run as sgid shadow, but even this would be a bad idea for checkpassword, because it can be used to run dictionary attacks against the password list.

Quote:

I am not an expert but it seems to work if `id -u mails` is replaced with
`id -u root`

Ok, but from a security aspect is that the right solution?
Doesn't sound like good security; at the very least, you are running a lot of code as root that doesn't need to be.

There are a number of alternatives to checkpassword.

I cannot advise the best solution; for a commercial system, you should probably operate a separate password database for remote smtp users, rather than give qmail access to the system passwords.


All times are GMT -5. The time now is 10:54 AM.