From jl.Rochat@sat.sligos.fr Wed Jul  3 11:10:36 1996
Date: Tue, 2 Jul 1996 13:25:49 +0200 (MET DST)
From: Jean-Luc Rochat <jl.Rochat@sat.sligos.fr>
To: chris@westnet.com
Subject: A security patch for popper.

Hi chris,

I've written a small patch for popper :
I wanted to deny pop access for root, admin, etc... as it seemed to me
a good method to crack these user's passwords (without any security log).
I wanted also a configuration file with only explicitely defined allowed users.
(I have ftp only users, pop only users, etc ...)

Sorry for my poor English.

If you like it, tell me.

here it is :



popper.h :
#define _PATH_POPUSERS_DENY "/xxx/popper/conf/popusers_deny"
#define _PATH_POPUSERS_ALLOW "/xxx/popper/conf/popusers_allow"

pop_pass.c :
int pop_pass (p)
POP     *   p;
{
    register struct passwd  *   pw;
    register struct spwd  *   spw;
    char *crypt();

>>    /*  Look for the user in the _PATH_POPUSERS_ALLOW file */
>>    if (!checkuser(p, p->user)) {
>>        return (pop_msg(p,POP_FAILURE,
>>            "Sorry, access for \"%s\" is denied.",p->user));
>>    }
            
    /*  Look for the user in the password file */


/* Check if a user is in the file _PATH_POPUSERS_ALLOW */
checkuser(char *p, char *name)
{
    register FILE *fd;
    char line[256];
    char *ptr;

    if ((fd = fopen(_PATH_POPUSERS_DENY, "r")) != NULL) { /* not mandatory */
        while (fgets(line, sizeof(line), fd) != NULL)
            if ((ptr = strchr(line, '\n')) != NULL) {
                *ptr = '\0';
                if (line[0] == '#')
                    continue;
                if (strcmp(line, name) == 0) {
                    (void) fclose(fd);
		    pop_log(p,POP_PRIORITY, "(v%s) %s access denied\n",VERSION,name);
                    return (0);
                }
            }
        (void) fclose(fd);
    }

    if ((fd = fopen(_PATH_POPUSERS_ALLOW, "r")) != NULL) {
        while (fgets(line, sizeof(line), fd) != NULL)
            if ((ptr = strchr(line, '\n')) != NULL) {
                *ptr = '\0';
                if (line[0] == '#')
                    continue;
                if (strcmp(line, name) == 0) {
                    (void) fclose(fd);
                    return (1);
                }
            }
        (void) fclose(fd);
        pop_log(p,POP_PRIORITY, "(v%s) %s access denied\n",VERSION,name);
    }
    else
	pop_log(p,POP_PRIORITY, "(v%s) fopen %s failed\n",VERSION,_PATH_POPUSERS_ALLOW);

    return (0);
}

format of configuration files:
_PATH_POPUSERS_ALLOW
# allowed users
user1
user2
# end

_PATH_POPUSERS_DENY
# denied users
root
admin
# end