91426 2005-05-04 06:23 0000 mail-filter/amavisd-new insecure file permission 2005-05-12 05:46:52 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B4 [noglsa] jaervosz P2 normal --- 1 zataz@zataz.net security@gentoo.org antivirus@gentoo.org genone@gentoo.org net-mail@gentoo.org zataz@zataz.net 2005-05-04 06:23:26 0000 Hello, the file /etc/amavisd.conf has bad right. If you use amavisd-new is compiled with mysql or postgresql this file shouldn't be other readable, they are sensitive informations in this file. Maybe could be chown root:amavis amavisd.conf && chmod 540 amavisd.conf Also, this is possible that other importante file of amavis are readable or exectuble by all Regards Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: /etc/amavisd.conf readable by all Expected Results: /etc/amavisd.conf shouldn't be readable by all How to configure amavisd-new with mysql : @lookup_sql_dsn = ( ['DBI:mysql:maildb:host1', 'mail', 'very_secret_password'] ); (For clarity uncomment the default) $sql_select_policy = 'SELECT *,users.id FROM users,policy'. ' WHERE (users.policy_id=policy.id) AND (users.email IN (%k))'. ' ORDER BY users.priority DESC'; (If you want sender white/blacklisting) $sql_select_white_black_list = 'SELECT wb FROM wblist,mailaddr'. ' WHERE (wblist.rid=?) AND (wblist.sid=mailaddr.id)'. ' AND (mailaddr.email IN (%k))'. ' ORDER BY mailaddr.priority DESC'; ferdy@gentoo.org 2005-05-04 09:00:03 0000 Just in case you need net-mail advise, setting sane permissions on /etc/amavisd.conf shouldn't cause any problems. I don't know of other apps that need access to that file Cheers, Ferdy jaervosz@gentoo.org 2005-05-04 09:06:54 0000 Thx Ferdy, I don't need advise (this time), I need an updated ebuild:-) ticho@gentoo.org 2005-05-04 11:56:13 0000 Ok, 2.2.1-r2 (latest stable on multiple arches) has been committed to fix this - 0640 permissions are now being used for /etc/amavisd.conf, which is being owned by root:amavis. I didn't bump unstable version (2.3.0), just modified it. jaervosz@gentoo.org 2005-05-04 23:15:13 0000 Thx everyone, this is ready for GLSA decision. I vote for NO GLSA. eromang@zataz.net 2005-05-06 14:52:06 0000 A message to warn sysadmin could be good, no need of GLSA i think ticho@gentoo.org 2005-05-06 15:29:47 0000 Right, as portage doesn't change the permissions of an existing file in /etc, we need to tell the admin to do it himself. Too bad. ticho@gentoo.org 2005-05-06 15:51:44 0000 ewarn message added to both 2.2.1-r2 and 2.3.0. jaervosz@gentoo.org 2005-05-07 01:42:39 0000 Adding Marius so he can comment. genone@gentoo.org 2005-05-07 03:11:47 0000 Well, you could change it in pkg_postinst. Just be minimal invaise there (so prefer `chmod o-rwx` over `chmod 640`), otherwise people might get pissed that you're grant permissions instead of removing them (in case they did a chmod 600 for example). jaervosz@gentoo.org 2005-05-07 10:25:36 0000 Thx Marius. Ticho I believe this should be added as well, back to ebuild status. ticho@gentoo.org 2005-05-08 02:05:47 0000 Ok, committed. Thanks, Marius. jaervosz@gentoo.org 2005-05-08 05:00:15 0000 Thx Thico. Back to glsa? One NO vote so far. ticho@gentoo.org 2005-05-08 11:30:25 0000 NO from me as well. jaervosz@gentoo.org 2005-05-11 07:21:31 0000 Sorry only Security Team members vote count officially. So please vote. koon@gentoo.org 2005-05-12 05:46:52 0000 Voting NO and closing.