Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?

From: Nico Kadel-Garcia (
Date: 03/11/02

From: "Nico Kadel-Garcia" <>
Date: Mon, 11 Mar 2002 14:26:58 GMT

"gaius.petronius" <> wrote in message
> cross-posted because it basically touches on 2 aspects of the password
> issue on a webmail server, the code to check the passwd, and the
> system itself.
> quote from
> "WARNING: getpwnam is inherently unreliable. It fails to distinguish
> between temporary errors and nonexistent users. Future versions of
> getpwnam should return ETXTBSY to indicate temporary errors and ESRCH
> to indicate nonexistent users."
> Precisely why is the getpwnam library function(?) "inherently
> unreliable"?
> The background to all this is that the management types have requested
> a "webmail" server which has the same look and feel of a hotmail,
> yahoo, et cetera.
> i at least got what i asked for in order to implement this: a separate
> server which i plan to alias usernames from the original server (step
> 1), and then use programs like checkpwd.
> but in the end the machine is still using the same old smtp plain text
> login, so i don't really see the point and don't see how i can ensure
> security against a cracker sniffing what he knows to be the first N
> number of packets in a POP or IMAP exchange.

*INSIST* on SSL use to prevent this.

> am i right or wrong about the uselessness of trying to strengthen the
> password login aspect of this machine in face of the fact that they
> will send plaintext passwords over the internet?

Basically, yes.

> furthermore, the reason why they want a *browser* based email service
> is so that when they are on the road they can just use the clients'
> browsers to get their mail. Now correct me if i'm in error here, but
> isn't that a giant step in the direction of breaking security in
> itself? that means whatever crackers may be doing at client sites
> automatically infects this webmail server.

See above. Explain that this is, in fact a common problem and that crackers
*love* to break into firewalls to monitor this sort of traffic.