Hello everybody, Aleksi Suhonen hat am Mon 01. Feb, 04:40 (+0000) geschrieben: > Package: ssmtp > Version: 2.64-1 > Severity: critical > Justification: causes serious data loss > > The configuration file /etc/ssmtp/ssmtp.conf is not readable > by everybody, but ssmtp itself is run without any special privileges: > > zsh% ls -l /etc/ssmtp/ssmtp.conf /usr/sbin/ssmtp > -rw-r----- 1 root mail 607 Dec 9 12:49 /etc/ssmtp/ssmtp.conf > -rwxr-xr-x 1 root root 36168 Nov 24 03:33 /usr/sbin/ssmtp* > zsh%
I think this is intended. The postinst script contains these lines chmod 640 /etc/ssmtp/ssmtp.conf chown root:mail /etc/ssmtp/ssmtp.conf I guess the maintainer wants to secure the AuthPass entry in ssmtp.conf. But he didn't changed the permission of ssmtp. The postinst script should run this code: dpkg-statoverride --update --add root mail 2755 /usr/sbin/ssmtp This is also a fix for broken installations. Bye, Jörg. -- Geld allein macht nicht glücklich, aber es ist besser in einem Taxi zu weinen, als in der Straßenbahn. (Marcel Reich‐Ranicki)
signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP