Hi Jakub, On 2019-11-05 9:29 a.m., Jakub Wilk wrote: > Package: msmtp > Version: 1.8.6-1 > Tags: security > > If /etc/msmtprc is readable by group msmtp (as suggested in > README.Debian), any user can acquire password from that file: > > $ ls -l /etc/msmtprc > -rw-r----- 1 root msmtp 86 Nov 5 15:06 /etc/msmtprc > > $ cat /etc/msmtprc > cat: /etc/msmtprc: Permission denied > > $ msmtp --debug nob...@example.org < /dev/null > loaded system configuration file /etc/msmtprc > ignoring user configuration file /home/jwilk/.msmtprc: No such file or > directory > falling back to default account > using account default from /etc/msmtprc > ... > --> AUTH PLAIN AGFsaWNlAGh1bnRlcjI= > ... > > $ base64 -d <<< 'AGFsaWNlAGh1bnRlcjI=' | tr '\0' ':'; echo > :alice:hunter2
Nice catch! Having /etc/msmtprc group readable is AFAIK, a "debianism". I don't know if upstream endorses this method of restricting access to the default account's password. That said, I think it would be feasible for msmtp to obfuscate the AUTH line when the UID/GID do not match the EUID/EGID and the config file used it not world-readable. The upstream developer is usually very responsive so it would be great if you could report it to him. Thank you! Simon
