Bug#568925: esmtp: configuration file world-readable

2010-02-11 Thread Salvatore Bonaccorso 
Hi Rolf

I'm sorry for getting back so late to you (I did not receive your
email via the bugtracker)!

Please note the following from esmtprc manpage:


   username
  Set the username for authentication with the SMTP server.

  Do NOT set the username and password in the system configuration
  file unless you are the only user of this machine.  Esmtp is not
  run with suid privileges therefore the system configuration file
  must  be  readable  by  everyone.   If your SMTP server requires
  authentication and you are not the only user then  specify  your
  personal SMTP account details in the user configuration file.

   password
  Set the password for authentication with the SMTP server.


This is by design of esmtp needed, that the global configuration file
is word-readable. If you are not the only user of the system, then
username/password configuration should be done on per user-basis in
~/.esmtprc.

What I will do is the following: I will add a more clear statement
about this probably in the README.Debian file and add too a news
entry. 

Bests
Salvatore


signature.asc
Description: Digital signature

Bug#568925: esmtp: configuration file world-readable

2010-02-08 Thread Rolf Leggewie 
Package: esmtp
Version: 0.6.0-1
Severity: critical
Tags: security
Justification: root security hole

The configuration file for esmtp is installed world-readable.  This is a 
security
hole since it may contain user/password combinations for remote mail servers. 
This
is even likely to be generally the case.

I report this from my Ubuntu machine after checking the Debian Changelog did not
contain any reference to this being fixed.  After looking at esmtp.postinst from
the Debian package I am also reasonably confident that this issue is still
present in the latest unstable package.  Please accept my apologies should that
not be the case.
-- System Information:
Debian Release: squeeze/sid
  APT prefers karmic-updates
  APT policy: (500, 'karmic-updates'), (500, 'karmic-security'), (500, 'karmic')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-11-generic (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages esmtp depends on:
ii  debconf [debconf-2.0]   1.5.27ubuntu2Debian configuration management sy
ii  libc6   2.10.1-0ubuntu16 GNU C Library: Shared libraries
ii  libesmtp5   1.0.4-2  LibESMTP SMTP client library

Versions of packages esmtp recommends:
ii  esmtp-run 0.6.0-1User configurable relay-only MTA

Versions of packages esmtp suggests:
pn  procmail | maildrop | deliver  (no description available)

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org