Package: procmail Version: 3.22-10 Severity: wishlist Tags: patch Hi!
Currently, procmail is installed as setuid root by default, which is unnecessary when using it with e. g. exim4 or postfix. Installing it setgid mail (and using the mail group only when necessary) is much safer and greatly limits the potential impact of security holes. You can get the patch from http://patches.ubuntu.com/patches/procmail.minprivs.diff it is applied in Ubuntu for half a year now without problems (however, suid root installation defaults to "no" there). Please consider adopting it for Debian. Thanks, Martin procmail (3.22-9ubuntu1) unstable; urgency=low * Minimized sgid privilege usage: right at the program start the effective group (mail) is reset to the real group (normally the user's primary group); privileged group 'mail' is just used when creating a previously missing default mailbox in /var/mail/<username>. * Added debconf question whether to install procmail setuid root (with default 'yes' to stay compatible). This is not needed with e. g. exim4 and postfix, disabling it eliminates a potential security hole. * Added build-dep po-debconf and dependency debconf. * Added German translation of debconf question. -- Martin Pitt <[EMAIL PROTECTED]> Sat, 24 Jul 2004 00:52:55 +0200 -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature