Package: ssmtp
Version: 2.64-4
Severity: important
ssmtp is world readable upon fresh install. This issue seems to be the same
as bug #500454 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454 back
in 2009 however it should have been fixed. Either it wasn't (in which case,
the bug report needs to be reopened i'd imagine)
or the permissions have been altered to be world readable again.
-rw-r--r-- 1 root root 577 Mar 2 22:59 /etc/ssmtp/ssmtp.conf
The solution posted in #500454 sounds sufficient. I'll just quote it here
for handiness
--
Please consider fixing this.
Example methods:
Add an ssmtp group, change the ownership and permissions of /etc/ssmtp/*
to root:ssmtp 0640 or 0660, and make ssmtp/sendmail root:ssmtp and
setgid so that when run by a user, it runs as group ssmtp and gets
permission to read the file; the user won't ever have permission to
read. You could also use the existing "mail" group, if appropriate.
You could also do this using setuid to root or a ssmtp user, but this is
unnecessary and has potential security implications that a simple setgid
change would not.
This won't require any code changes; it's simply an
ownership/permissions tweak.
--
-- System Information:
Debian Release: 6.0.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ssmtp depends on:
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration
management sy
ii libc6 2.11.2-10 Embedded GNU C Library: Shared
lib
ii libgnutls26 2.8.6-1the GNU TLS library - runtime
libr
ssmtp recommends no packages.
ssmtp suggests no packages.
-- debconf information excluded
