On Monday 10 September 2001 12:56, Amos Gouaux wrote:
>
> True, but the cyrus user is potentially more exposed to the outside
> environment than pwcheck/saslauthd. These daemons are after all
> listening on a UNIX domain socket, not an INET socket.
Having internal access is bad enough (IMAP access is firewalled out in
my case, anyway). Red Hat's Bugzilla bug #11892 points this out:
"Cyrus imapd in Raw Hide (2.0.5-6) fixes the second problem, but the
first is unlikely to be done because allowing any non-root user to
attempt to guess other users' passwords will decrease the level of
security, and the pwcheck daemon is documented as not being hardened
against denial-of-service attacks."
That is why Red Hat does not include pwcheck in their RPMs. (To further
increase their security, Red Hat will no longer include the cyrus-imapd
RPM in future releases :-) ... Grrr ...)
The absence of documentation on using saslauthd with Cyrus-IMAP is the
main reason I have not tried it. That is to say, I had not heard about
this daemon until this discussion. Also, it does not seem to be in Red
Hat's distribution.
Chris
