Qpopper setup on Slackware problem

Qpopper setup on Slackware problem

Post by Todd Rust » Wed, 15 Oct 1997 04:00:00

I'm attempting to set up qpopper on Slackware 3.2 (2.0.29) in order to
support APOP authentication on pop3. I managed to get qpopper compiled ok
(I think; APOP and POPUID options set, no errors reported) using gdbm
support (had to tweak the makefile after running ./configure to use -lgdbm,
especially on the popauth link).

I've installed popper to /usr/sbin and popauth to /usr/local/bin, and
modified the pop3 line in inetd.conf appropriately. popauth is SUID to
"pop", and "pop" exists as a user. I've created the /etc/pop.auth file
using "popauth -init" as root, and it seems to be properly initialized with
600 permissions and owned by pop. The problem is I keep getting a "popauth:
/etc/pop.auth: can't open authentication DB" error when trying to add users
to the database, whether I run "popauth -user username" as root or
"popauth" as a regular user. It will accept popauth -list, but there's
nothing to list yet. I've tried tweaking the file permissions to see if
that's the problem (i.e. chmod 777 pop.auth, etc.) but that hasn't helped.

Any ideas or suggestions would be greatly appreciated. Thank you very much!

Todd Ruston



1. SECURITY Vulnerability on qpopper 2.53 : qpopper 3.x port on FreeBSD ?


As I saw that there is a security bug with qpopper 2.53 (see below) which is
provided by all FreeBSD distribution as the only port, I was wondering
if there is someone working on the qpopper 3.02 port.

Thanks in advance for your help.                Gildas.

Qpopper development has learned of a security vulnerability in
Qpopper 2.53 (and older).  All users of Qpopper are urged to upgrade
to 3.0.2 or later.

The details have been reported to CERT and BugTraq.  The exploit
involves sending a specially-constructed message to a user, then
logging in as that user and issuing the EUIDL command.  A successful
attack can yield a shell running with group 'mail'.

  It is important to note that the attack:

    1.  Requires the ability to log in as a user.
    2.  Can at most give a shell with uid of the user and gid of mail,
potentially allowing access to other user's mail.
    3.  Will be logged.
    4.  Requires Qpopper 2.53 or older.  The current released version is 3.0.2.

In addition, not all sites use group 'mail' or have Qpopper set to
run with gid=mail, or have spools owned by group 'mail' and have rw
group access.  However, this is a very common configuration.

Qpopper 3.0 has additional protections against buffer overflows; this
exploit proves the usefulness of this approach.


Fluxus, 28 rue Desaix, 75015 Paris ---_`\<,_
http://www.fluxus.net           ---- (_)/ (_)
"En 2000, FranceNet change de nom et devient Fluxus"
"In 2000, FranceNet changes its name and becomes Fluxus"

2. Email - handlers

3. Slackware 3.0: gdb problem & setup problem

4. How to scale scalable fonts.

5. qpopper setup help

6. NIS..ypserv dies

7. setup qpopper on debian with ssl

8. Xi Graphics, Screen Shots?

9. Q:slackware setup not recognize my second dos partion on setup,help!

10. Slackware Setup Problem

11. Linux Slackware setup problem

12. mice problems with latest Slackware/Linux setup.

13. Slackware 3.4 - ne2000 setup problem