Package: msmtp Version: 1.8.11-2 Severity: important Tags: bookworm sid Under at least some configurations, msmtp being setgid will now prevent it from talking to the D-Bus session bus via libsecret, and therefore prevent it from being able to retrieve passwords from gnome-keyring or (probably) KWallet. This is a result of security hardening in GLib aimed at preventing setuid/setgid/setcap/otherwise privileged processes from being subverted by crafted environment variables.
As mentioned in <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944188#21>, a previous attempt to apply this security hardening caused msmtp (and gnome-keyring) to regress, particularly for users of dbus-launch (which in particular includes all users of non-systemd init systems). Users of dbus-user-session (which requires systemd) are currently believed to be unaffected, although we have had one report of a regression even for a user of dbus-user-session (#994961) for which I'm waiting for more info. It is possible that future GLib security hardening will additionally prevent privileged processes from trusting the XDG_RUNTIME_DIR from the environment, which would mean that a setgid msmtp cannot connect to D-Bus at all, even on systems that use dbus-user-session. An upstream GLib maintainer followed up in <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944188#26> to set a deadline for reapplying the hardening in GLib 2.70. This deadline has now been reached and GLib 2.70 is in unstable, which means msmtp needs to choose one of these options: 1. Don't be setgid, and do support libsecret. This would also avoid trying to give security guarantees that msmtp upstream does not, and giving sysadmins a false sense of security regarding the extent to which passwords in /etc/msmtprc are protected (closing #944188). However, it would be a feature regression, losing the ability to get a system-wide password from a non-world-readable /etc/msmtprc. 2. Don't support libsecret, and do support setgid msmtp. This would also be a feature regression, losing the ability to get per-user passwords from gnome-keyring or KWallet. 3. Support both, but only one at a time, and document sysadmin configuration (perhaps via dpkg-statoverride, a debconf question, or two conflicting binary packages) to switch between modes. This would avoid any feature regression, but is higher-complexity than the other options. I would personally go for option 1, because as I said in #944188, the other two are not supported by msmtp upstream and I think they only give a false sense of security; but it's the maintainer's decision. I do not intend to revert the security hardening in GLib for a second time unless GLib upstream do so, which they have indicated they will not. smcv
