The vpopmail ebuild enables a complete logging of events including all successfully logins with clear passwords. Thats a huge security hole and should never be turned on by default! Here is a patch to recover the default behaviour of vpopmail which only logs errors and without passwords: ------------------------------------------- --- /usr/portage/net-mail/vpopmail/vpopmail-5.4.16.ebuild 2007-07-02 17:05:58.000000000 +0200 +++ vpopmail-5.4.16.ebuild 2007-09-10 18:47:49.000000000 +0200 @@ -90,7 +90,7 @@ && myopts="${myopts} --enable-auth-module=mysql \ --enable-libs=/usr/include/mysql \ --enable-libdir=/usr/lib/mysql \ - --enable-sql-logging=y \ + --enable-sql-logging=e \ --enable-auth-logging=y \ --enable-valias=y \ --enable-mysql-replication=n \ ------------------------------------------- Reproducible: Always
Sorry, wrong patch attached in last post. This is the right one: -------------------------------------------------------------------------- --- /usr/portage/net-mail/vpopmail/vpopmail-5.4.16.ebuild 2007-07-02 17:05:58.000000000 +0200 +++ vpopmail-5.4.16.ebuild 2007-09-10 19:00:29.000000000 +0200 @@ -116,7 +116,7 @@ --enable-file-locking=y \ --enable-file-sync=y \ --enable-md5-passwords=y \ - --enable-logging=y \ + --enable-logging=e \ --enable-log-name=vpopmail \ --enable-qmail-ext \ --disable-tcp-rules-prog --disable-tcpserver-file --disable-roaming-users \ --------------------------------------------------------------------------
CC'ing maintainer for advise.
This is very close to being invalid, but I'll leave it to the security folk to decide. If you have USE=clearpasswd, the passwords are in the main 'vpopmail' table of users in plaintext anyway, because you NEED the plaintext to conduct CRAM-*/DIGEST-* authentication protocols (thus avoid replay attacks). Additionally, the vlog table by logging what passwords were used is very useful in proving to users that their stupid Outlook/Eudora is caching the old password (and in seeing what passwords outside systems are trying to brute force you with).
(In reply to comment #3) > This is very close to being invalid, but I'll leave it to the security folk to > decide. > > If you have USE=clearpasswd, the passwords are in the main 'vpopmail' table of > users in plaintext anyway, because you NEED the plaintext to conduct > CRAM-*/DIGEST-* authentication protocols (thus avoid replay attacks). But as you already said it has to be activated with a USE flag and is not the default. > Additionally, the vlog table by logging what passwords were used is very useful > in proving to users that their stupid Outlook/Eudora is caching the old > password (and in seeing what passwords outside systems are trying to brute > force you with). Of course there is a benefit from saving the complete event in the log table but I would highly appreciate to not enable this beaviour by default. I think that even the admin should have no possibility to see the plaintext password.
both patches won't work, with mysql support vpopmail _always_ stores the password in the vlog table unless you completely disable sql-logging... your patch just prevents successful logins to be logged, but errors are still logged with password (of course if it is a login error, not the "real" password is logged, but there are other errors beside password failure ...)
(In reply to comment #5) > both patches won't work, with mysql support vpopmail _always_ stores the > password in the vlog table unless you completely disable sql-logging... your > patch just prevents successful logins to be logged, but errors are still logged > with password (of course if it is a login error, not the "real" password is > logged, but there are other errors beside password failure ...) > If noticed this as well. Thats why I changed the varchar length in mysql for the password column to zero so qmail tries to log the password but it won't get saved in the database. At least for me this behaviour as a default is not a good idea. This should be at least be described in the messages after emerging so the user is aware of this.
(In reply to comment #6) > (In reply to comment #5) > > both patches won't work, with mysql support vpopmail _always_ stores the > > password in the vlog table unless you completely disable sql-logging... your > > patch just prevents successful logins to be logged, but errors are still logged > > with password (of course if it is a login error, not the "real" password is > > logged, but there are other errors beside password failure ...) > > > > > If noticed this as well. Thats why I changed the varchar length in mysql for > the password column to zero so qmail tries to log the password but it won't get > saved in the database. > Sounds like a pretty dirty hack :/ > At least for me this behaviour as a default is not a good idea. This should be > at least be described in the messages after emerging so the user is aware of > this. > net-mail, any opinion on this?
security: I'm against the change. As I said if you have USE=clearpasswd, you have the clear passwords in the database already to support DIGEST-MD5/CRAM-MD5. Additionally, you should have permissions on your MySQL database that lock non-vpopmail users out of the vpopmail database. Setting the passwd column of vlog to no length is useless, just think about the users that misconfigure stuff and swap their password and username (which happens far too often in my logs). The password then gets logged to the username column. If somebody is that paranoid about it, they should set BOTH username and password column lengths to zero manually, and not have USE=clearpasswd, but also go and do similar lockdowns elsewhere in their system.
Closing this one as WONTFIX. If new arguments pop up feel free to reopen.
