Control: tags -1 + confirmed
Control: severity -1 important
On 08.03.21 16:50, PICCORO McKAY Lenz wrote:
Currently as normal user, it can be accessed
to users database if we setup mysql, postgres
or sqlite, inclusively ldap setups.. i mean,
a limited account can query users mail data
to made some kind of attack
This information is reveal from DB:
serveruno:$ authtest test
Authentication succeeded.
Authenticated: test (uid 244, gid 244)
Home Directory: /home/users/intranetusers/test
Maildir: /home/users/intranetusers/test/Maildir
Quota: (none)
Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b
Cleartext Password: 1
Options: (none)
While I generally agree that this is not optimal and should be better
guarded, it does not seem to reveal sensitive information (i.e. it is
not very different from a `cat /etc/passwd`).
Given authtest clearly is a test-tool only, I agree that its permissions
should be limited as requested.
ADDITIONAL NOTE: the package that own the program is authlib.. this
is completely wrong.. cos important setup is not retrieved by
reportbug like the authdaemon setup files modified.. the
/usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest
must belong to authdaemon (to make sense)
Thanks, that's a good hint as well.
Regards
Markus
