Package: openwebmail Version: 2.41-6 Severity: important Tags: security Quote: " OpenWebmail needs suid. Setting... Done. Initializing. It could take a while... ". This happens after update, while documentation states:
"...and you want to improve the security of your system ... ... 4. Change permissions chmod -s /usr/share/openwebmail/cgi-bin/*.pl " This leads to package unexpectedly running suid root. And those are complicated pieces of unaudited code, running even without "-T". This setup leads to spellchecker and calendar running as root behind the users/admins back. Documentation should be fixed to state that dpkg-statoverride should be used AND postinst shouldn't ignore existing statoverride ie: for f in `dir -1 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl`; do if [ "`dpkg-statoverride --list $f`" ]; then #don't touch existing override! dpkg-statoverride --remove $f else dpkg-statoverride --add root root 4755 $f fi done Additionaly, those lines in postinst are very troubling: " chown root.root /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true chmod 4755 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true ", they should be removed as soon as possible. Under no circumstances should package install behave like this. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux forumakad 2.4.28-bsd25a #1 Thu Nov 18 11:54:59 CET 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages openwebmail depends on: ii apache 1.3.26-0woody6 Versatile, high-performance HTTP s ii apache [httpd] 1.3.26-0woody6 Versatile, high-performance HTTP s ii debconf 1.0.32 Debian configuration management sy ii libauthen-pam-perl 0.12-2 This module provides a Perl interf ii libdbd-mysql-perl 1.2216-2 mySQL database interface for Perl ii libdbd-pg-perl 1.01-3 a PostgreSQL interface for Perl 5 ii libmd5-perl 2.02-3 backwards-compatible wrapper for D ii libnet-ldap-perl 0.25-2 A Client interface to LDAP servers ii libtext-iconv-perl 1.2-1 Convert between character sets in ii perl 5.6.1-8.8 Larry Wall's Practical Extraction ii perl-suid 5.6.1-8.8 Runs setuid Perl scripts. ii ucf 1.13 Update Configuration File: preserv ii wwwconfig-common 0.0.19 Debian web auto configuration. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]