Control: tags -1 + confirmed Control: severity -1 important
On 08.03.21 16:50, PICCORO McKAY Lenz wrote:
Currently as normal user, it can be accessed to users database if we setup mysql, postgres or sqlite, inclusively ldap setups.. i mean, a limited account can query users mail data to made some kind of attack This information is reveal from DB: serveruno:$ authtest test Authentication succeeded. Authenticated: test (uid 244, gid 244) Home Directory: /home/users/intranetusers/test Maildir: /home/users/intranetusers/test/Maildir Quota: (none) Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b Cleartext Password: 1 Options: (none)
While I generally agree that this is not optimal and should be better guarded, it does not seem to reveal sensitive information (i.e. it is not very different from a `cat /etc/passwd`).
Given authtest clearly is a test-tool only, I agree that its permissions should be limited as requested.
ADDITIONAL NOTE: the package that own the program is authlib.. this is completely wrong.. cos important setup is not retrieved by reportbug like the authdaemon setup files modified.. the /usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest must belong to authdaemon (to make sense)
Thanks, that's a good hint as well. Regards Markus