Package: ssmtp Version: 2.62-1 Severity: important Because ssmtp is run by the user invoking sendmail, its config file is required to be readable. However, this results in disclosure of the username/password used for SMTP AUTH on the relaying mail server.
Please consider fixing this. Example methods: Add an ssmtp group, change the ownership and permissions of /etc/ssmtp/* to root:ssmtp 0640 or 0660, and make ssmtp/sendmail root:ssmtp and setgid so that when run by a user, it runs as group ssmtp and gets permission to read the file; the user won't ever have permission to read. You could also use the existing "mail" group, if appropriate. You could also do this using setuid to root or a ssmtp user, but this is unnecessary and has potential security implications that a simple setgid change would not. This won't require any code changes; it's simply an ownership/permissions tweak. Thanks, Roger -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: powerpc (ppc) Kernel: Linux 2.6.26-1-powerpc Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ssmtp depends on: ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii libc6 2.7-13 GNU C Library: Shared libraries ii libgnutls26 2.4.1-1 the GNU TLS library - runtime libr ssmtp recommends no packages. ssmtp suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
