Beside the real vulnerability, what is interesting that Qualys used an outdated Fedora package to prepare the report:
On Linux, this vulnerability is generally not exploitable because /proc/sys/fs/protected_hardlinks prevents attackers from creating hardlinks to files they do not own. On Fedora 31, however, smtpctl is set-group-ID root, not set-group-ID smtpq: ------------------------------------------------------------------------------ -r-xr-sr-x. 1 root root 303368 Jul 26 2019 /usr/sbin/smtpctl ------------------------------------------------------------------------------ The latest package (6.6.2, pushed to stable on Feb 09) contains a different file: # ls -la /usr/sbin/smtpctl -r-xr-sr-x 1 root smtpq 333288 Jan 31 18:43 /usr/sbin/smtpctl That version that they tested was way back from 2019. I think I need to inform them separately, but just FYI.
