Skip Menu |
Queue is disabled
This queue is disabled and you may not create new tickets in it.
Report information
The Basics
Id: 38268
Status: open
Priority: 0/
Queue: qpsmtpd
People
Owner: Nobody
Requestors: ask [at] develooper.com
Cc:
AdminCc:
Links
Depends on : (Create)
Depended on by : (Create)
Parents : (Create)
Children : (Create)
Refers to : (Create)
Referred to by : (Create)

History Show all quoted textShow full headers
# Wed, 18 Jan 2006 04:18:44 -0800 Ask Bjoern Hansen <ask@develooper.com> - Ticket created [Reply] [Comment]
Subject: checkpassword support
Date: Wed, 18 Jan 2006 04:18:00 -0800
To: bugs-qpsmtpd [...] rt.perl.org
From: Ask Bjørn Hansen <ask [...] develooper.com>
Download (untitled) / with headers
text/plain 929b
It'd be nice to support checkpassword for SMTP AUTH. Something like Michael Holzt's plugin at: http://qpsmtpd.kju.de/qpsmtpd/created_by_me/authcheckpassword/ authcheckpassword #!/usr/bin/perl -w sub register { my ( $self, $qp ) = @_; $self->register_hook( "auth-plain", "authcpw" ); $self->register_hook( "auth-login", "authcpw"); } sub authcpw { my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) = @_; my $binary = $self->qp->config("smtpauth-checkpassword") or return (DECLINED); return(DECLINED) if ( ! -x $binary ); my ($untainted) = $binary =~ /^(.*)$/; open(CPW,"|$untainted 3<&0"); printf(CPW "%s\0%s\0Y123456\0",$user,$passClear); close(CPW); my $status = $?; return(DECLINED) if ( $status != 0 ); return ( OK, "authcheckpassword" ); } -- http://askask.com/ - http://develooper.com/
# Wed, 18 Jan 2006 05:16:06 -0800 Johan Almqvist <johan@almqvist.net> - Correspondence added [Reply] [Comment]
CC: bugs-bitbucket [...] rt.perl.org
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 14:14:29 +0100
To: qpsmtpd [...] perl.org
From: Johan Almqvist <johan [...] almqvist.net>
Download (untitled) / with headers
text/plain 1.2k
On Jan 18, 2006, at 13:18, Ask Bjoern Hansen (via RT) wrote: Show quoted text
> # New Ticket Created by Ask Bjoern Hansen > # Please include the string: [perl #38268] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38268 >
Here's a fixed-up version that actually works (for me) #!/usr/bin/perl -w sub register { my ( $self, $qp ) = @_; $self->register_hook( "auth-plain", "authcpw" ); $self->register_hook( "auth-login", "authcpw"); } sub authcpw { my ( $self, $transaction, $method, $user, $passClear, $passHash, $ticket ) = @_; my $binary = $self->qp->config("smtpauth-checkpassword") or return (DECLINED); return(DECLINED) if ( ! -x $binary ); my ($untainted) = $binary =~ /^(.*)$/; open(CPW,"|$untainted /usr/bin/true 3<&0"); # checkpassword will fail if it's not give something to execute. # Probably a bad idea to hard-code the path. -Johan printf(CPW "%s\0%s\0Y123456\0",$user,$passClear); close(CPW); my $status = $?; return(DECLINED) if ( $status != 0 ); $self->connection->notes('authuser',$user); # This should probably be in lib/Qpsmtpd/Auth.pm instead... -Johan $self->connection->relay_client(1); return ( OK, "authcheckpassword" ); }
# Wed, 18 Jan 2006 05:16:08 -0800 The RT System itself - Status changed from 'new' to 'open'
# Wed, 18 Jan 2006 05:36:23 -0800 Michael Holzt <kju@fqdn.org> - Correspondence added [Reply] [Comment]
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 14:35:51 +0100
To: qpsmtpd [...] perl.org
From: Michael Holzt <kju [...] fqdn.org>
Download (untitled) / with headers
text/plain 481b
Show quoted text
> I would, however, suggest changing the code as following:
Of course i managed to introduce a bug into that code. So this one should work: my $command = $self->qp->config("smtpauth-checkpassword") or return (DECLINED); my ($binary, $params) = $command =~ /^(\S+)(.*)$/; return(DECLINED) if ( ! -x $binary ); open(CPW,"|$binary $params 3<&0"); Regards Michael -- It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
# Wed, 18 Jan 2006 05:54:52 -0800 Michael Holzt <kju@fqdn.org> - Correspondence added [Reply] [Comment]
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 14:34:13 +0100
To: qpsmtpd [...] perl.org
From: Michael Holzt <kju [...] fqdn.org>
Download (untitled) / with headers
text/plain 1.1k
Show quoted text
> my $binary = $self->qp->config("smtpauth-checkpassword") > or return (DECLINED); > return(DECLINED) if ( ! -x $binary ); > > my ($untainted) = $binary =~ /^(.*)$/; > > open(CPW,"|$untainted /usr/bin/true 3<&0"); > # checkpassword will fail if it's not give something to execute. > # Probably a bad idea to hard-code the path. -Johan
Yes it is a bad idea, because e.g. on linux it needs to be /bin/true. I forgot about that part in my plugin, as i'm using a modified checkpassword which does not need it. I would, however, suggest changing the code as following: my $command = $self->qp->config("smtpauth-checkpassword") or return (DECLINED); my ($binary, $params) = $command =~ /^(\S+)(.*)$/; return(DECLINED) if ( ! -x $binary ); open(CPW,"|$command $params 3<&0"); This should allow to just write '/my/path/to/checkpassword /bin/true' or similar content into the config file, without breaking the (modest) security which ensures that actually a existing command is executed. Regards Michael -- It's an insane world, but i'm proud to be a part of it. -- Bill Hicks
# Wed, 18 Jan 2006 06:50:35 -0800 Andy Colson <jacodeguy@gmail.com> - Correspondence added [Reply] [Comment]
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 08:49:50 -0600
To: qpsmtpd [...] perl.org
From: Andy Colson <jacodeguy [...] gmail.com>
Download (untitled) / with headers
text/plain 716b
On 1/18/06, via RT Ask Bjoern Hansen <qpsmtpd-bugs-followup@develooper.com> wrote: Show quoted text
> # New Ticket Created by Ask Bjoern Hansen > # Please include the string: [perl #38268] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38268 > > > > > It'd be nice to support checkpassword for SMTP AUTH. > > Something like Michael Holzt's plugin at: > > http://qpsmtpd.kju.de/qpsmtpd/created_by_me/authcheckpassword/ > authcheckpassword >
Ahh, I have a dumb question. My qpsmtpd runs as user smtpd, and I'm guessing that user wouldnt have rights to call checkpassword, would they? Do you setup a sudo for that, or is there a simpler way? -Andy
# Wed, 18 Jan 2006 08:59:54 -0800 Johan Almqvist <johan@almqvist.net> - Correspondence added [Reply] [Comment]
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 17:59:09 +0100
To: qpsmtpd [...] perl.org
From: Johan Almqvist <johan [...] almqvist.net>
Download (untitled) / with headers
text/plain 481b
On Jan 18, 2006, at 15:49, Andy Colson wrote: Show quoted text
> Ahh, I have a dumb question. My qpsmtpd runs as user smtpd, and I'm > guessing that user wouldnt have rights to call checkpassword, would > they? Do you setup a sudo for that, or is there a simpler way?
I have made my checkpassword setuid and executable by everyone. I always thought that's the whole point of it? (It's really just a variant of the sudo or su program with a more suitable interface for scripting) -Johan
# Wed, 18 Jan 2006 14:05:22 -0800 Bob Dodds <cto@xqme.com> - Correspondence added [Reply] [Comment]
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 17:06:48 -0500
To: qpsmtpd [...] perl.org
From: Bob Dodds <cto [...] xqme.com>
Download (untitled) / with headers
text/plain 877b
Andy Colson wrote: Show quoted text
> On 1/18/06, via RT Ask Bjoern Hansen > <qpsmtpd-bugs-followup@develooper.com> wrote: >
>> # New Ticket Created by Ask Bjoern Hansen >> # Please include the string: [perl #38268] >> # in the subject line of all future correspondence about this issue. >> # <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38268 > >> >> >> >> It'd be nice to support checkpassword for SMTP AUTH. >> >> Something like Michael Holzt's plugin at: >> >> http://qpsmtpd.kju.de/qpsmtpd/created_by_me/authcheckpassword/ >> authcheckpassword >> >>
> > Ahh, I have a dumb question. My qpsmtpd runs as user smtpd, and I'm > guessing that user wouldnt have rights to call checkpassword, would > they? Do you setup a sudo for that, or is there a simpler way? > > -Andy
http://www.google.com/search?q=checkpassword+fnord http://www.google.com/search?q=checkpassword+tools
# Wed, 18 Jan 2006 14:43:51 -0800 frank <ratty@they.org> - Correspondence added [Reply] [Comment]
Subject: [OT] Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 14:41:50 -0800 (PST)
To: qpsmtpd [...] perl.org, ask [...] develooper.com
From: frank <ratty [...] they.org>
Download (untitled) / with headers
text/plain 1.3k
Are these mails going to keep coming in like this? I didn't sign up for the -bugs-followup list and it's being marked as potential spam in my folders. Is this being done manually (like via BCC) or does the -bugs-followup list automatically forward to the main list? -f On Wed, 18 Jan 2006, Bob Dodds via RT wrote: Show quoted text
> Date: Wed, 18 Jan 2006 14:05:23 -0800 > From: Bob Dodds via RT <qpsmtpd-bugs-followup@develooper.com> > To: ask@develooper.com > Subject: Re: [perl #38268] checkpassword support > > Andy Colson wrote:
>> On 1/18/06, via RT Ask Bjoern Hansen >> <qpsmtpd-bugs-followup@develooper.com> wrote: >>
>>> # New Ticket Created by Ask Bjoern Hansen >>> # Please include the string: [perl #38268] >>> # in the subject line of all future correspondence about this issue. >>> # <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=38268 > >>> >>> >>> >>> It'd be nice to support checkpassword for SMTP AUTH. >>> >>> Something like Michael Holzt's plugin at: >>> >>> http://qpsmtpd.kju.de/qpsmtpd/created_by_me/authcheckpassword/ >>> authcheckpassword >>> >>>
>> >> Ahh, I have a dumb question. My qpsmtpd runs as user smtpd, and I'm >> guessing that user wouldnt have rights to call checkpassword, would >> they? Do you setup a sudo for that, or is there a simpler way? >> >> -Andy
> http://www.google.com/search?q=checkpassword+fnord > http://www.google.com/search?q=checkpassword+tools > >
# Wed, 18 Jan 2006 14:55:26 -0800 Bob Dodds <cto@xqme.com> - Correspondence added [Reply] [Comment]
Subject: Re: [OT] Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 17:56:55 -0500
To: qpsmtpd [...] perl.org
From: Bob Dodds <cto [...] xqme.com>
Download (untitled) / with headers
text/plain 381b
frank wrote: Show quoted text
> Are these mails going to keep coming in like this? I didn't sign up > for the -bugs-followup list and it's being marked as potential spam in > my folders. Is this being done manually (like via BCC) or does the > -bugs-followup list automatically forward to the main list? > > -f
As far as marked as spam, dspam rates it .9997 confidence of not being spam. -Bob
# Wed, 18 Jan 2006 15:02:52 -0800 David Nicol <davidnicol@gmail.com> - Correspondence added [Reply] [Comment]
CC: ask [...] develooper.com
Subject: Re: [perl #38268] checkpassword support
Date: Wed, 18 Jan 2006 17:02:30 -0600
To: qpsmtpd-bugs-followup [...] develooper.com
From: David Nicol <davidnicol [...] gmail.com>
Download (untitled) / with headers
text/plain 475b
Show quoted text
> > my ($untainted, $params) = $binary =~ /^(\S+)\s*(.*)$/; > > > > open(CPW,"|$untainted $params 3<&0");
What exactly is our security policy wrt trusting our configuration files? This seems like a case where the best would be to have the plugin look for checkpassword in /var/qmail/bin (for historic reasons) and document which source file to touch if yours is elsewhere. We could build a true if we can't find true with `which true` my $true = 'sh -c exit'
# Wed, 18 Jan 2006 16:22:51 -0800 Andrew Pam <xanni@glasswings.com.au> - Correspondence added [Reply] [Comment]
CC: qpsmtpd [...] perl.org, ask [...] develooper.com
Subject: Re: [OT] Re: [perl #38268] checkpassword support
Date: Thu, 19 Jan 2006 11:22:05 +1100
To: frank <ratty [...] they.org>
From: Andrew Pam <xanni [...] glasswings.com.au>
Download (untitled) / with headers
text/plain 736b
On Wed, Jan 18, 2006 at 02:41:50PM -0800, frank wrote: Show quoted text
> Are these mails going to keep coming in like this? I didn't sign up for > the -bugs-followup list and it's being marked as potential spam in my > folders. Is this being done manually (like via BCC) or does the > -bugs-followup list automatically forward to the main list?
And why do we have to get a second copy of each message that we have already received directly via RT? Regards, Andrew -- mailto:xanni@xanadu.net Andrew Pam http://www.xanadu.com.au/ Chief Scientist, Xanadu http://www.glasswings.com.au/ Partner, Glass Wings http://www.sericyb.com.au/ Manager, Serious Cybernetics

This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org