[illumos-Developer] No LOGIN method in libsasl? Why not? (with webrev...)

Dan McDonald danmcd at nexenta.com
Tue Feb 8 08:51:29 PST 2011


I'm going to poke security-discuss at opensolaris.org as well, because part of
me wonders why, when they based the code of cyrus 2.1.15, they didn't take
LOGIN in with the other methods (GSS, PLAIN, etc.)?

I looked at vulnerabilities at this older version (2.1.23 appears to be the
latest), and the only one I saw was fixed in build 117.

Unless LOGIN has some problems, I'm not sure why it wasn't included in the
sasl_plugins/ directory.

I have a specific problem (mutt talking to an Exchange version of IMAP) that
requires the LOGIN authentication method be there, so I went ahead and
shoehorned in 2.1.15's version of this plugin.  Here's the webrev:

	http://www.kebe.com/~danmcd/webrevs/sasl-login/

I tried to preserve the hacks made for inclusion in the ON gate of other
methods (look for certain ifdefs, e.g.).

There's a bigger question about why we don't update to 2.1.23 also.  I'm not
sure about that either.  Also, it appears SASL expects plugins only in
/usr/lib/sasl/.  I suspect this is for reasons of preventing LD_LIBRARY_PATH
subversion attacks.

Anyway, I appreciate discussion on this.

Thanks,
Dan




More information about the Developer mailing list