Hello everybody, Aleksi Suhonen hat am Mon 01. Feb, 04:40 (+0000) geschrieben: > Package: ssmtp > Version: 2.64-1 > Severity: critical > Justification: causes serious data loss > > The configuration file /etc/ssmtp/ssmtp.conf is not readable > by everybody, but ssmtp itself is run without any special privileges: > > zsh% ls -l /etc/ssmtp/ssmtp.conf /usr/sbin/ssmtp > -rw-r----- 1 root mail 607 Dec 9 12:49 /etc/ssmtp/ssmtp.conf > -rwxr-xr-x 1 root root 36168 Nov 24 03:33 /usr/sbin/ssmtp* > zsh%
I think this is intended. The postinst script contains these lines
chmod 640 /etc/ssmtp/ssmtp.conf
chown root:mail /etc/ssmtp/ssmtp.conf
I guess the maintainer wants to secure the AuthPass entry in ssmtp.conf.
But he didn't changed the permission of ssmtp. The postinst script should
run this code:
dpkg-statoverride --update --add root mail 2755 /usr/sbin/ssmtp
This is also a fix for broken installations.
Bye, Jörg.
--
Geld allein macht nicht glücklich, aber es ist besser in einem Taxi zu
weinen, als in der Straßenbahn.
(Marcel Reich‐Ranicki)
signature.asc
Description: Digital signature http://en.wikipedia.org/wiki/OpenPGP
