Bug#661954: make /etc/ssmtp/* not world readable

Tue, 28 Jan 2014 18:09:34 -0800 

Please find a patch that implements the suggested change of making
/etc/ssmtp/* readable by "root:mail" only and setting the ssmtp binary
as setgid and "root:mail".

commit 6a56c090225dace7706b561d6419f58d38214d7f
Author: Simon Deziel <[email protected]>
Date:   Tue Jan 28 20:49:19 2014 -0500

    Remove world access to /etc/ssmtp/* and change group to "mail".
    Install the ssmtp binary as setgid and owned by "root:mail".

diff --git a/debian/postinst b/debian/postinst
index dab9ed7..32b22ca 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -52,13 +52,15 @@ then
 	test -z "$FromOverride" && FromOverride=NO
 
 	touch /etc/ssmtp/ssmtp.conf.tmp
-	chmod 644 /etc/ssmtp/ssmtp.conf.tmp
+	chmod 640 /etc/ssmtp/ssmtp.conf.tmp
+	chgrp mail /etc/ssmtp/ssmtp.conf.tmp
 
 	sed "s/^root=.*/root=$root/;s/^mailhub=.*/mailhub=$mailhub/;s/^rewriteDomain=.*/rewriteDomain=$rewritedomain/;s/^hostname=.*/hostname=$hostname/;s/^FromLineOverride=.*/FromLineOverride=$FromOverride/;s/^#FromLineOverride=.*/FromLineOverride=$FromOverride/" /etc/ssmtp/ssmtp.conf > /etc/ssmtp/ssmtp.conf.tmp
 	mv -f /etc/ssmtp/ssmtp.conf.tmp /etc/ssmtp/ssmtp.conf
 else
 	touch /etc/ssmtp/ssmtp.conf
-	chmod 644 /etc/ssmtp/ssmtp.conf
+	chmod 640 /etc/ssmtp/ssmtp.conf
+	chgrp mail /etc/ssmtp/ssmtp.conf
 
 	exec 1>/etc/ssmtp/ssmtp.conf
 
diff --git a/debian/rules b/debian/rules
index a71dc20..9395f1e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -33,13 +33,13 @@ binary-arch:	checkroot configure build
 	install -m 755 debian/config debian/tmp/DEBIAN
 
 	install -d -m 755 debian/tmp/usr/sbin
-	install -s -m 755 ssmtp debian/tmp/usr/sbin/ssmtp
+	install -s -g mail -m 2755 ssmtp debian/tmp/usr/sbin/ssmtp
 	install -d -m 755 debian/tmp/usr/share/man/man8
 	install -m 644 ssmtp.8 debian/tmp/usr/share/man/man8/ssmtp.8
 	install -d -m 755 debian/tmp/usr/share/man/man5
 	install -m 644 ssmtp.conf.5 debian/tmp/usr/share/man/man5/ssmtp.conf.5
-	install -d -m 755 debian/tmp/etc/ssmtp
-	install -m 644 revaliases debian/tmp/etc/ssmtp/revaliases
+	install -d -g mail -m 750 debian/tmp/etc/ssmtp
+	install -g mail -m 640 revaliases debian/tmp/etc/ssmtp/revaliases
 
 	-cd debian/tmp/usr/sbin && ln -sf ssmtp sendmail
 	install -d -m 755 -o root -g root debian/tmp/usr/lib

Reply via email to