Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
Thanks also Bart for reminding me of the other approach. (sorry I am a bit distracted by home things at the moment). After some thought I think it makes sense to change to the umask approach anyway, as it is more efficient (fewer fork/execs), and also covers the case where the symlink exists but the target does not yet, which the tempfile approach missed. Uploaded again, I hope that this is my last change of mind now :-) Thanks Nick diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog2012-08-21 09:01:40.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) + + -- Nick Leverton n...@leverton.org Tue, 21 Aug 2012 09:01:38 +0100 + nullmailer (1:1.11-1) unstable; urgency=low * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.0 +0100 @@ -24,6 +24,15 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + if [ ! -e /etc/nullmailer/remotes ] + then + M=$( umask ) + umask 077 +/etc/nullmailer/remotes + chown mail:mail /etc/nullmailer/remotes + umask $M + fi echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
Hi Nick, On Tue, Aug 21, 2012 at 09:29:28AM +0100, Nick Leverton wrote: Thanks also Bart for reminding me of the other approach. My pleasure. (sorry I am a bit distracted by home things at the moment). No problem at all. diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.0 +0100 @@ -24,6 +24,15 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + if [ ! -e /etc/nullmailer/remotes ] + then + M=$( umask ) + umask 077 + /etc/nullmailer/remotes + chown mail:mail /etc/nullmailer/remotes + umask $M + fi echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \ What if the file already exists : No chmod and no chown needed then ? Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821155150.ga27...@master.debian.org
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On Sun, Aug 19, 2012 at 10:16:50AM -0700, Don Armstrong wrote: If bartm is unable to upload this, I will do it. However, you need to first check that /etc/nullmailer/remotes is a regular file, as it would be a perfectly reasonable configuration to have replaced /etc/nullmailer/remotes with a symlink. Secondly, you really should only do the replacement if /etc/nullmailer/remotes is world readable; otherwise you should assume that the administrator has modified things (for example, running nullmailer as an entirely different user). Hi Don, You raise some valuable issues, thanks. I think that merely not replacing, chmodding or chowning the file if it already exists is a simple and safe solution which allows the sysadmin to change what she wants post-installation. This does mean that existing installations will not be protected, but I don't think that that's important enough to be worth a NEWS entry to warn the admin. Thankyou very much for your review. I've amended the package accordingly and re-uploaded to mentors, and I hope it passes muster for upload. The updated debdiff is attached (same version number, new changelog timestamp). Thankyou Nick diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog2012-08-20 23:02:07.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) + + -- Nick Leverton n...@leverton.org Mon, 20 Aug 2012 23:02:04 +0100 + nullmailer (1:1.11-1) unstable; urgency=low * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-20 23:01:04.0 +0100 @@ -24,6 +24,13 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + if [ ! -L /etc/nullmailer/remotes -a ! -e /etc/nullmailer/remotes ] + then + R=$( tempfile -d /etc/nullmailer -p nullm ) + chown mail:mail $R + mv $R /etc/nullmailer/remotes + fi echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
Hi Nick, How about the umask-touch-chmod approach we discussed via private e-mail ? That would also work for a symlink if I'm not mistaken. (This is just a suggestion. I don't mind that you and Don proceed in a different way.) Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821052018.gc24...@master.debian.org
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On Sun, 12 Aug 2012, Nick Leverton wrote: * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-12 20:23:46.0 +0100 @@ -24,10 +24,14 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + R=$( tempfile -d /etc/nullmailer -p nullm ) echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \ - -e 's/[][]//g' /etc/nullmailer/remotes + -e 's/[][]//g' $R + chown mail:mail $R + mv $R /etc/nullmailer/remotes db_get nullmailer/adminaddr if [ $RET ]; then If bartm is unable to upload this, I will do it. However, you need to first check that /etc/nullmailer/remotes is a regular file, as it would be a perfectly reasonable configuration to have replaced /etc/nullmailer/remotes with a symlink. Secondly, you really should only do the replacement if /etc/nullmailer/remotes is world readable; otherwise you should assume that the administrator has modified things (for example, running nullmailer as an entirely different user). Don Armstrong -- He no longer wished to be dead. At the same time, it cannot be said that he was glad to be alive. But at least he did not resent it. He was alive, and the stubbornness of this fact had little by little begun to fascinate him -- as if he had managed to outlive himself, as if he were somehow living a posthumous life. -- Paul Auster _City of Glass_ http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120819171650.gb21...@teltox.donarmstrong.com
Re: Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On Tue, Aug 14, 2012 at 02:00:05AM +0300, Peter Pentchev wrote: On Tue, Aug 14, 2012 at 02:51:16AM +0400, Michael Tokarev wrote: On 13.08.2012 00:18, Nick Leverton wrote: [] diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog 2012-08-11 23:55:36.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) What's wrong with remotes being world-readable? For instance, it may include SMTP authentication information. This is the issue, yes. Security team classed it as Serious (#684619, see original upload template) and hence it's an RC bug, so I'd be very grateful if a DD could upload this for me. Thankyou Nick -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120815072023.ga30...@leverton.org
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On 13.08.2012 00:18, Nick Leverton wrote: [] diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog 2012-08-11 23:55:36.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) What's wrong with remotes being world-readable? Thanks, /mjt -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/502984e4.9080...@msgid.tls.msk.ru
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On Tue, Aug 14, 2012 at 02:51:16AM +0400, Michael Tokarev wrote: On 13.08.2012 00:18, Nick Leverton wrote: [] diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog2012-08-11 23:55:36.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) What's wrong with remotes being world-readable? For instance, it may include SMTP authentication information. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? signature.asc Description: Digital signature
Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package nullmailer, which I hope will qualify for a freeze exception as this upload fixes a new security issue. (I haven't yet approached ftp-masters about this though). Package name: nullmailer Version : 1:1.11-2 Upstream Author : Bruce Guenter br...@untroubled.org URL : http://untroubled.org/nullmailer/ License : GPL-2+ Section : mail It builds those binary packages: nullmailer - simple relay-only mail transport agent To access further information about this package, please visit the following URL: http://mentors.debian.net/package/nullmailer Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc Changes since the last upload: diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog2012-08-11 23:55:36.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) + + -- Nick Leverton n...@leverton.org Sat, 11 Aug 2012 23:54:55 +0100 + nullmailer (1:1.11-1) unstable; urgency=low * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-12 20:23:46.0 +0100 @@ -24,10 +24,14 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + R=$( tempfile -d /etc/nullmailer -p nullm ) echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \ --e 's/[][]//g' /etc/nullmailer/remotes +-e 's/[][]//g' $R + chown mail:mail $R + mv $R /etc/nullmailer/remotes db_get nullmailer/adminaddr if [ $RET ]; then -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120812201819.ga18...@leverton.org