the /etc/vpopmail.conf file contains unencrypted password information for accessing the MySQL db to modify the vpopmail tables. However, by default the file is world readable. Reproducible: Always Steps to Reproduce: 1. Enable USE flag mysql 2. Emerge vpopmail and dependencies 3. Look at /etc/vpopmail.conf permissions Actual Results: -rw-r--r-- 1 root root 427 Jun 25 18:43 vpopmail.conf Expected Results: the passwords should either be stored elsewhere in a secure location, or this file should not be world readable. This could cause a severe security problem for hosting companies, in that users can access mail user tables freely. rogue bin # emerge info Portage 2.0.48-r1 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.20-gentoo-r1 i686 Celeron (Mendocino) GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi g /usr/kde/3/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 libwww mmx ncurses nls spell xml2 zlib gdbm slang readline pam ssl perl python apm berkdb crypt mysql curl imap" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-O2 -mcpu=i686 -pipe" CXXFLAGS="-O2 -mcpu=i686 -pipe" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache" rogue bin #
reducing criticality after reviewing other bugs trying to find the right critical level.
Fixed in -r6 coming shortly. Security: should we do a GLSA about this?
I feel we should, asking people to bump to the newest version, or to fix file permissions manually.
GLSA details: Vunerable versions: anything before vpopmail-5.2.1-r6 Non Vunerable versions: vpopmail-5.2.1-r6
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-01 was sent to gentoo-announce@gentoo.org, bugtraq@securityfocus.com and full-disclosure@lists.netsys.com
I see how this file is getting the 600 permission, but after letting emerge do its thing, the file /etc/vpopmail.conf was still owned by root, therefore unreadable by the delivery program that needed to read that conf file. "chown vpopmail /etc/vpopmail.conf" got my mail running again. Did I follow an uncommon install/upgrade path or is the ebuild just not setting ownership when it should be?