Hello, maildrop is used for mail delivery or filtering. The /etc/maildrop/ directory containt the configuration file : eric maildrop # ls -la total 14 drwxr-xr-x 2 root root 1024 May 4 19:50 . drwxr-xr-x 80 root root 4096 May 4 19:50 .. -rw-r--r-- 1 root root 4549 May 4 19:50 maildropldap.cf -rw-r--r-- 1 root root 3163 May 4 19:50 maildropmysql.cf This files are world readable, a malicious local user could obtain senstive informations. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: This files are world readable. Expected Results: This files should not be world readable
Fixed in CVS, thanks (is 1.7.0-r3) Cheers, Ferdy
Shouldn't have resolved that... im going to push 1.8.0 series as stable to fix this so we can remove the old ebuilds. BTW, sorry for messing with security bugs, didn't notice the first time. Cheers, Ferdy
Arches please mark maildrop-1.8.0-r3 stable.
Alpha stable.
Looks good on Sparc, but I'm not bumping it until I get the nod from Weeve/Gustavoz napavalley portage # cd /etc/maildrop napavalley maildrop # ls -l total 0 -rw-r----- 1 root root 0 May 5 08:16 maildropmysql.cf
Stable on sparc.
Oops slipped under my radar. This one is ready for GLSA decision. I tend to vote NO.
I agree with NO. Specific subconfig files containing passwords should/could be restricted post-config on machines with local hostiles... Closing.
