Your message dated Sun, 23 Jul 2006 09:11:03 -0300
with message-id <[EMAIL PROTECTED]>
and subject line Bug#379082: cyrus-imapd-2.2: tighten security on lmtp unix
domain socket
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: cyrus-imapd-2.2
Version: 2.2.13-3
Severity: wishlist
In a new install, I get
# ls -l /var/run/cyrus/socket/
srwxrwxrwx 1 root root 0 2006-07-20 22:25 lmtp
srwxrwxrwx 1 root root 0 2006-07-20 22:25 notify
*If* I understand this correctly, that means anyone on the local
system can write to the lmtp socket, and they will then authenticate
as an administrative user (says "Cyrus IMAP Server: Overview and
Concepts"--Readme.Debian has a cryptic note about authenticating as
"postman").
This seems it might be a security problem (the same Cyrus doc says
access is limited by controlling access to the socket).
I know the Debian docs note several times one can change the
permissions, but perhaps it should ship with a more restrictive
configuration. Or perhaps I'm confused.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable'), (1,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages cyrus-imapd-2.2 depends on:
ii cyrus-common-2.2 2.2.13-3 Cyrus mail system (common files)
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libdb4.2 4.2.52-23.1 Berkeley v4.2 Database Libraries [
ii libsasl2 2.1.19.dfsg1-0.2 Authentication abstraction library
ii libssl0.9.8 0.9.8b-2 SSL shared libraries
ii libwrap0 7.6.dbs-9 Wietse Venema's TCP wrappers libra
cyrus-imapd-2.2 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sat, 22 Jul 2006, Ross Boylan wrote:
> $ ls -ld /var/run/cyrus/socket
> drwxr-x--- 2 cyrus mail 96 2006-07-22 10:14 /var/run/cyrus/socket
>
> That looks better. So I guess this was just a misunderstanding on my
> part. Sorry.
No problem. I am closing the bug, then.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--- End Message ---
