Bug 11892 - cyrus imapd/sasl combo cannot authenticate.
cyrus imapd/sasl combo cannot authenticate.
Status: CLOSED WONTFIX
Product: Red Hat Powertools
Classification: Retired
Component: cyrus-imapd (Show other bugs)
6.2
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-04 00:44 EDT by lars
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-05-16 12:49:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description lars 2000-06-04 00:44:15 EDT
The Cyrus IMAPD and SASL libraries distributed with RedHat Powertools are
misconfigured such that it is impossible to authenticate to the imap
server.  There are several problems:

(1) The Cyrus imap daemon does not run SUID root, and *cannot* authenticate
against the shadow password file.  However, the RedHat RPM comes with a PAM
module that attempts to authenticate against the system password file, so
this fails.

The solution in this situation is to build the SASL libraries with the
--enable-pwcheck option; this causes the "pwcheck" daemon to be built,
which is a small server that runs as root and provides authentication
services to imapd.  The imapd RPM should include a startup script that runs
pwcheck at boot.

(2) The deliver program is installed owner=root and group=root, with the
following permissions: -rwxr-x---.  However, deliver (like the other Cyrus
utilities) can only be run as the cyrus user, so in this configuration it
cannot be run at all.

The solution is to change the group ownership to the same group as the
cyrus user (e.g., mail).
Comment 1 Nalin Dahyabhai 2000-08-04 02:47:02 EDT
Cyrus imapd in Raw Hide (2.0.5-6) fixes the second problem, but the first is
unlikely to be done because allowing any non-root user to attempt to guess other
users' passwords will decrease the level of security, and the pwcheck daemon is
documented as not being hardened against denial-of-service attacks.
Comment 2 rm0 2000-08-18 09:44:44 EDT
If I understand well the RMPs shipped with the 6.2 powertools
don't work, and neither does the actual RPMs in the pinstripe powertools

As al little and humble opinion the it would be wise to be sure to not ship cyrus et. al
with the 7.0 final if the evolving RPMs from rawhide don't reach a working state.
Comment 3 Nalin Dahyabhai 2000-08-18 12:18:12 EDT
That's strange.  I've run the versions from Raw Hide on my own workstation
without problems -- created mailboxes using the admin interface, sent mail to
them, and read messages.  What specific problems are you having?
Comment 4 rm0 2000-08-22 17:44:11 EDT
Well, I'm running 6.2 system, so
 * I rebuilt the db3 rawhide SRPM to be able to install the RPM in my system.
 * I think maybe I must upgrade Perl in the same way order to be able to run cyradm
So surely the problem I'm having (saslpasswd hangs after prompting the passwd) is
my fault.

Two little things I've seen in the process:
* /var/imap/{user, quota} are not being chattred +S. You are doing it in the %install section
but it seems rpm don't preserve these attribs when building the binary RPMS. Additionally, 
(if you are not skipping intentionally this step) the /var/imap{user, quota}/* content is also
'chattrd' +S in the cyrus imap original install process.
* The cyrus user gets /bin/false shell in the %post section. Is this correct ? (I read
something about cyrus' shell and cyradm in the ChangeLog, and maybe the final user 
should also get /bin/sh like the %install section does when 'useradding' cyrus)

Excuse me for my english, for maybe seeing bugs where no one exist, and for reporting 
them in another bug's comments form.
Comment 5 Nalin Dahyabhai 2000-08-22 18:09:19 EDT
The only calls to chattr in the spec file are in the %post section, which is run
in the post-install of the binary package, so I think that's actually working
correctly.  The cyrus user should have a real shell, and the chattr call should
use -R.  Both will be fixed 2.0.6-3 and later.
Comment 6 David Lawrence 2003-05-16 12:49:01 EDT
Closing as WONTFIX due to end of life of the Power Tools product line. Please
open a new bug report under the Red Hat Linux product if the component is still
included in the base Red Hat distribution.

Note You need to log in before you can comment on or make changes to this bug.