239197 – mail-mta/ssmtp - ssmtp.conf password leakage

Bug 239197 - mail-mta/ssmtp - ssmtp.conf password leakage

Summary: mail-mta/ssmtp - ssmtp.conf password leakage

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Net-Mail Packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-30 21:41 UTC by David Sparks
Modified:	2008-11-29 20:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Sparks 2008-09-30 21:41:24 UTC

/etc/ssmtp/ssmtp.conf leaks credentials because the file is readable by anyone able to send email.

A flawed attempt to fix this was done in bug #187841.  However anyone added to the ssmtp group is now able to read the credentials because the conf file is not protected.  So the protection is nil, and there is a large (unwanted) side effect that users that could send email are suddenly not able to send email anymore after ssmtp upgrades.

A potential way to fix the data leakage problem is to make the ssmtp binary suid root and change the permissions of the conf file to 0600.  This scenario is what suid binaries exist for.  One should not be afraid of using suid binaries due to some overzealous security mantra.

Another potential fix is to add a USE flag that disables the ssmtp group creation and special permissions for setups that don't use credentials for sending email.  This would allow one to restore ssmtp to the older behavior, which happens to be consistent with the other MTAs Gentoo supports.

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2008-10-01 02:38:00 UTC

What credentials?

Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-01 16:08:56 UTC

(In reply to comment #1)
> What credentials?
> 

username/password to log in to a smtp relay.

adding security@g.o for an advice.

Comment 3 Vladimir Berezhnoy 2008-11-04 01:29:52 UTC

New ssmtp default settings do really need to be changed. Of course security is important, but ssmtp is intended to be simple MTA. With the new behavior, ssmtp will not work at all after it is installed, while sendmail and any other MTA will just work without any additional configuration.
I'me agree with David Sparks that new behavior should be made optional and disabled by default, or even the ebuild should be just reverted back to the previous simple behavior.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-11-04 14:43:43 UTC

If you want people not to gain knowledge of the login credentials, the ssmtp group solution is not the way to go. It does limit the number of users that can access the file (to those who are selected to be able to send mail), but they can still read the password.
This is not a problem in proper setups (because should only allow them to send mail, which they can do before already), but the password might be used in other contexts.
What about keeping the file 0640 root:ssmtp, and make /usr/sbin/ssmtp root:ssmtp, but 02710 (setgid ssmtp)?

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2008-11-04 16:48:12 UTC

Thanks for your feedback Robert!

(In reply to comment #4)
> What about keeping the file 0640 root:ssmtp, and make /usr/sbin/ssmtp
> root:ssmtp, but 02710 (setgid ssmtp)?
> 

That's one solution I thought about - and for now I think that's the way it should be. I'd make this the default behaviour, but for people who don't see this potentional password leakage as a problem or leak in their specific setups I'll add a use-flag to disable the setgid protection and restore the "old" behaviour that way.

Any objections on that?

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2008-11-29 20:28:05 UTC

setgid (2711) on the ssmtp binary as of 2.62-r4.