Bug 91465 - maildrop insecure file & directory permissions : informations leak
|
Bug#:
91465
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: eromang@zataz.net
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: maildrop insecure file & directory permissions : informations leak
|
|
Keywords:
|
|
Status Whiteboard: A4 [noglsa] jaervosz
|
|
Opened: 2005-05-04 11:40 0000
|
Hello,
maildrop is used for mail delivery or filtering.
The /etc/maildrop/ directory containt the configuration file :
eric maildrop # ls -la
total 14
drwxr-xr-x 2 root root 1024 May 4 19:50 .
drwxr-xr-x 80 root root 4096 May 4 19:50 ..
-rw-r--r-- 1 root root 4549 May 4 19:50 maildropldap.cf
-rw-r--r-- 1 root root 3163 May 4 19:50 maildropmysql.cf
This files are world readable, a malicious local user could obtain senstive informations.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Actual Results:
This files are world readable.
Expected Results:
This files should not be world readable
Fixed in CVS, thanks (is 1.7.0-r3)
Cheers,
Ferdy
Shouldn't have resolved that... im going to push 1.8.0 series as stable to fix
this so we can remove the old ebuilds.
BTW, sorry for messing with security bugs, didn't notice the first time.
Cheers,
Ferdy
Arches please mark maildrop-1.8.0-r3 stable.
Looks good on Sparc, but I'm not bumping it until I get the nod from
Weeve/Gustavoz
napavalley portage # cd /etc/maildrop
napavalley maildrop # ls -l
total 0
-rw-r----- 1 root root 0 May 5 08:16 maildropmysql.cf
Oops slipped under my radar. This one is ready for GLSA decision. I tend to
vote NO.
I agree with NO. Specific subconfig files containing passwords should/could be
restricted post-config on machines with local hostiles...
Closing.
