Bug#829652: marked as done (qmail-uids-gids: shell setting of qmail users dangerous)

[Debian Bug Tracking System]

Your message dated Tue, 26 May 2020 00:47:04 +0000
with message-id <e1jdnkg-000gti...@fasolo.debian.org>
and subject line Bug#961289: Removed package(s) from unstable
has caused the Debian Bug report #829652,
regarding qmail-uids-gids: shell setting of qmail users dangerous
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
829652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829652
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: qmail-uids-gids
Version: 1.06-5
Severity: important

The shell used for the qmail-uids-gids users is bad, even dangerous.  The
qmail documentation explicitly stated those users should have a shell of
/bin/false.  In the modern era /usr/sbin/nologin might be substituted.

Problem is, the way the qmail-uids-gids was written, the qmail users will
have a shell of /bin/bash, and the error message will suggest a shell of
/bin/sh.

This is VERY bad.  The attached patch fixes this for new installations,
but won't fix the issue for existing installations.  The original script
doesn't really do much for installations that were older either.

This URGENTLY needs to be fixed!


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \BS (    |         ehem+sig...@m5p.com  PGP 87145445         |    )   /
  \_CS\   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445



--- netqmail-1.06.orig/debian/qmail-uids-gids.postinst	2016-07-04 19:47:23.000000000 -0700
+++ netqmail-1.06/debian/qmail-uids-gids.postinst	2016-07-04 19:52:15.440000000 -0700
@@ -45,13 +45,13 @@
 
   $DEBUG groupadd -g 64010 qmail || return 1
   $DEBUG addgroup --system nofiles || return 1
-  $DEBUG useradd -u 64010 -g nofiles -d /var/lib/qmail/alias alias || return 1
-  $DEBUG useradd -u 64011 -g nofiles -d /var/lib/qmail qmaild || return 1
-  $DEBUG useradd -u 64015 -g nofiles -d /var/lib/qmail qmaill || return 1
-  $DEBUG useradd -u 64016 -g nofiles -d /var/lib/qmail qmailp || return 1
-  $DEBUG useradd -u 64014 -g qmail -d /var/lib/qmail qmailq || return 1
-  $DEBUG useradd -u 64013 -g qmail -d /var/lib/qmail qmailr || return 1
-  $DEBUG useradd -u 64012 -g qmail -d /var/lib/qmail qmails || return 1
+  $DEBUG useradd -u 64010 -s /bin/false -g nofiles -d /var/lib/qmail/alias alias || return 1
+  $DEBUG useradd -u 64011 -s /bin/false -g nofiles -d /var/lib/qmail qmaild || return 1
+  $DEBUG useradd -u 64015 -s /bin/false -g nofiles -d /var/lib/qmail qmaill || return 1
+  $DEBUG useradd -u 64016 -s /bin/false -g nofiles -d /var/lib/qmail qmailp || return 1
+  $DEBUG useradd -u 64014 -s /bin/false -g qmail -d /var/lib/qmail qmailq || return 1
+  $DEBUG useradd -u 64013 -s /bin/false -g qmail -d /var/lib/qmail qmailr || return 1
+  $DEBUG useradd -u 64012 -s /bin/false -g qmail -d /var/lib/qmail qmails || return 1
   # done
   return 0
 }
@@ -83,13 +83,13 @@
 exist yet, this package will add them automatically.
 
 /etc/passwd:
-alias:x:64010:XXXXX:qmail alias:/var/lib/qmail/alias:/bin/sh
-qmaild:x:64011:XXXXX:qmail daemon:/var/lib/qmail:/bin/sh
-qmails:x:64012:64010:qmail send:/var/lib/qmail:/bin/sh
-qmailr:x:64013:64010:qmail remote:/var/lib/qmail:/bin/sh
-qmailq:x:64014:64010:qmail queue:/var/lib/qmail:/bin/sh
-qmaill:x:64015:XXXXX:qmail log:/var/lib/qmail:/bin/sh
-qmailp:x:64016:XXXXX:qmail pw:/var/lib/qmail:/bin/sh
+alias:x:64010:XXXXX:qmail alias:/var/lib/qmail/alias:/bin/false
+qmaild:x:64011:XXXXX:qmail daemon:/var/lib/qmail:/bin/false
+qmails:x:64012:64010:qmail send:/var/lib/qmail:/bin/false
+qmailr:x:64013:64010:qmail remote:/var/lib/qmail:/bin/false
+qmailq:x:64014:64010:qmail queue:/var/lib/qmail:/bin/false
+qmaill:x:64015:XXXXX:qmail log:/var/lib/qmail:/bin/false
+qmailp:x:64016:XXXXX:qmail pw:/var/lib/qmail:/bin/false
 /etc/group:
 qmail:x:64010:
 nofiles:x:XXXXX:

--- End Message ---

--- Begin Message ---

Version: 1.06-6.2+rm

Dear submitter,

as the package netqmail has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/961289

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---