Sune Vuorela <[email protected]> writes: > A while ago, ssmtp started requiring users to be in group:mail to be > able to send emails. As "mail" traditionally is the group (and user) for > mail transporting in general, as this is how /var/mail/* is governed.
At first glance, the analysis in the bug log from Rémi Denis-Courmont appears to be correct to me. Group mail is a privileged system group which has read/write access to everyone's mail in one of the two mail permission configurations that Debian explicitly supports (see Policy 11.6). It also allows a user in that group to delete anyone else's mail spool due to the default permissions on /var/mail. Overloading that group to control who can send outgoing mail looks like a bad conflation of two different privileges that will lead to users being given excessive and unexpected privileges. However, all that's happened to date in the public bug log is that the maintainer has changed the severity; there's no wontfix tag or indication that the bug won't be fixed. Aníbal, could you give some more background on your plans here? I don't think the severity is really the relevant question; the question is more whether you intend to keep the current behavior or if you already have plans to change it. If you plan to change it, then it probably doesn't matter a great deal what the bug severity is set to. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
