Bug#290848: openwebmail: Friviolous use of suid bit. Possible remote root.

Sun, 16 Jan 2005 23:53:07 -0800 

Package: openwebmail
Version: 2.41-6
Severity: important
Tags: security

Quote:
"
OpenWebmail needs suid. Setting... Done.
Initializing. It could take a while...
".
This happens after update, while documentation states:

"...and you want to improve the security of your system
...
...

4. Change permissions

chmod -s /usr/share/openwebmail/cgi-bin/*.pl
"

 This leads to package unexpectedly running suid root.
And those are complicated pieces of unaudited code, running even without "-T".

This setup leads to spellchecker and calendar running as root behind the 
users/admins back.
 
Documentation should be fixed to state that dpkg-statoverride should be used
AND postinst shouldn't ignore existing statoverride
ie:
   for f in `dir -1 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl`; do
                   if [ "`dpkg-statoverride --list $f`" ]; then
                   #don't touch existing override! dpkg-statoverride --remove $f
                   else
                   dpkg-statoverride --add root root 4755 $f
                   fi
   done

Additionaly, those lines in postinst are very troubling:
"
chown root.root /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true
chmod 4755 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true
", they should be removed as soon as possible.
 Under no circumstances should package install behave like this.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux forumakad 2.4.28-bsd25a #1 Thu Nov 18 11:54:59 CET 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages openwebmail depends on:
ii  apache                    1.3.26-0woody6 Versatile, high-performance HTTP s
ii  apache [httpd]            1.3.26-0woody6 Versatile, high-performance HTTP s
ii  debconf                   1.0.32         Debian configuration management sy
ii  libauthen-pam-perl        0.12-2         This module provides a Perl interf
ii  libdbd-mysql-perl         1.2216-2       mySQL database interface for Perl
ii  libdbd-pg-perl            1.01-3         a PostgreSQL interface for Perl 5
ii  libmd5-perl               2.02-3         backwards-compatible wrapper for D
ii  libnet-ldap-perl          0.25-2         A Client interface to LDAP servers
ii  libtext-iconv-perl        1.2-1          Convert between character sets in
ii  perl                      5.6.1-8.8      Larry Wall's Practical Extraction
ii  perl-suid                 5.6.1-8.8      Runs setuid Perl scripts.
ii  ucf                       1.13           Update Configuration File: preserv
ii  wwwconfig-common          0.0.19         Debian web auto configuration.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to