Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 140141

Summary: mail-mta/qmail password stored in /var/qmail/control/smtproutes is stored in cleartext and the file is world-readable
Product: Gentoo Security Reporter: Burak Arslan <plq>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: qmail-bugs+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Burak Arslan 2006-07-12 11:05:12 UTC 
warehouse mp3 # emerge --info
Portage 2.0.54-r2 (default-linux/x86/no-nptl/2.4, gcc-3.3.6, glibc-2.3.6-r3, 2.6.16-gentoo-r7 i686)
=================================================================
System uname: 2.6.16-gentoo-r7 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System version 1.6.14
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-lang/python:     2.3.5-r2, 2.4.2
dev-python/pycrypto: [Not Present]
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/gcc-config: 1.3.13-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE=""
ADA_INCLUDE_PATH="/usr/lib/ada/adainclude/gtkada"
ADA_OBJECTS_PATH="/usr/lib/ada/adalib/gtkada"
ALSA_cards="hda-intel"
ANT_HOME="/usr/share/ant-core"
ARCH="x86"
AUTOCLEAN="yes"
BASH_ENV="/etc/spork/is/not/valid/profile.env"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O3 -march=pentium4 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CLASSPATH="."
CLEAN_DELAY="5"
COLORTERM=""
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CVSROOT="/data/docs/src/cvs"
CVS_RSH="ssh"
CXXFLAGS="-O3 -march=pentium4 -fomit-frame-pointer -pipe"
DCCC_PATH="/usr/lib/distcc/bin"
DESKTOP_SESSION="kde-3.5"
DISPLAY=":0"
DISTCC_LOG=""
DISTCC_VERBOSE="0"
DISTDIR="/usr/portage/distfiles"
DM_CONTROL="/var/run/xdmctl"
EDITOR="/bin/nano"
ELIBC="glibc"
EMERGE_WARNING_DELAY="10"
FEATURES="autoconfig distlocks sandbox sfperms strict"
FETCHCOMMAND="/usr/bin/wget -t 5 --passive-ftp -P ${DISTDIR} ${URI}"
GCC_SPECS=""
GDK_USE_XFT="1"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
GPS_DOC_PATH="/usr/share/doc/gps-bin-1.4.0/html"
GS_LIB="/home/plq/.fonts"
GTK2_RC_FILES="/etc/gtk-2.0/gtkrc:/home/plq/.gtkrc-2.0:/home/plq/.kde3.5/share/config/gtkrc-2.0"
GTK_RC_FILES="/etc/gtk/gtkrc:/home/plq/.gtkrc:/home/plq/.kde3.5/share/config/gtkrc"
G_BROKEN_FILENAMES="1"
HOME="/root"
HOSTNAME="warehouse"
INFODIR="/usr/athena/info"
INFOPATH="/usr/share/info:/usr/share/binutils-data/i686-pc-linux-gnu/2.16.1/info:/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info:/usr/share/info/emacs-21"
JAVAC="/opt/blackdown-jdk-1.4.2.03/bin/javac"
JAVA_HOME="/opt/blackdown-jdk-1.4.2.03"
JDK_HOME="/opt/blackdown-jdk-1.4.2.03"
KDEDIRS="/usr"
KDE_FULL_SESSION="true"
KDE_MULTIHEAD="false"
KERNEL="linux"
KONSOLE_DCOP="DCOPRef(konsole-10511,konsole)"
KONSOLE_DCOP_SESSION="DCOPRef(konsole-10511,session-3)"
LANG="en_US.utf8"
LANGUAGE="en_US.utf8"
LC_ALL="en_US.utf8"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LOGNAME="root"
MAKEOPTS="-j4"
MANDIR="/usr/athena/man"
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/i686-pc-linux-gnu/2.16.1/man:/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man::/opt/blackdown-jdk-1.4.2.03/man:/usr/qt/3/doc/man:/opt/vmware/man"
OPENGL_PROFILE="nvidia"
PAGER="/usr/bin/less"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/athena/sbin:/usr/i686-pc-linux-gnu/gcc-bin/3.3.6:/opt/blackdown-jdk-1.4.2.03/bin:/opt/blackdown-jdk-1.4.2.03/jre/bin:/usr/kde/3.5/sbin:/usr/kde/3.5/bin:/usr/qt/3/bin:/opt/vmware/bin:/var/qmail/bin"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 ppc-macos s390 sh sparc x86 x86-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_CALLER="emerge"
PORTAGE_GID="250"
PORTAGE_MASTER_PID="25526"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PRELINK_PATH=""
PRELINK_PATH_MASK="/usr/lib/gstreamer-0.8"
PWD="/data/media/duy/mp3"
PYTHONDOCS="/usr/share/doc/python-docs-2.4.2/html"
PYTHONPATH="/usr/lib/portage/pym"
QMAIL_CONTROLDIR="/var/qmail/control"
QMAKESPEC="linux-g++"
QTDIR="/usr/qt/3"
RESUMECOMMAND="/usr/bin/wget -c -t 5 --passive-ftp -P ${DISTDIR} ${URI}"
RPMDIR="/usr/portage/rpm"
RSYNC_RETRIES="3"
RSYNC_TIMEOUT="180"
SANE_CONFIG_DIR="/etc/sane.d"
SESSION_MANAGER="local/warehouse:/tmp/.ICE-unix/10498"
SGML_CATALOG_FILES="/etc/sgml/sgml-docbook.cat:/etc/sgml/openjade-1.3.2.cat:/etc/sgml/xml-docbook-4.4.cat:/etc/sgml/sgml-ent.cat:/etc/sgml/xml-simple-docbook-1.0.cat:/etc/sgml/xml-simple-docbook-4.1.2.4.cat:/etc/sgml/xml-docbook-4.1.2.cat:/etc/sgml/sgml-docbook-3.0.cat:/etc/sgml/sgml-docbook-3.1.cat:/etc/sgml/sgml-docbook-4.0.cat:/etc/sgml/sgml-docbook-4.1.cat:/etc/sgml/sgml-docbook-4.2.cat:/etc/sgml/sgml-docbook-4.4.cat:/etc/sgml/sgml-lite.cat:/etc/sgml/dsssl-docbook-stylesheets.cat"
SHELL="/bin/bash"
SHLVL="3"
STAGE1_USE="-nptl"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
TERM="xterm"
USE="X aalib acl acpi ada adns aim alsa apache2 apm arts audiofile bitmap-fonts bzip2 bzlib caps cdr cli cpdflib crypt cscope cups curl dba dga dio directfb divx4linux doc dri dts dvd dvdr eds emacs emboss encode ethereal exif expat fam fbcon ffmpeg flac foomaticdb fortran freetds ftp gd ggi gif gimpprint glut gmp gnutls gphoto2 gpm gstreamer gtk2 gtkhtml icq idn imagemagick imap imlib inifile isdnlog jabber java jpeg junit kde kerberos krb4 lcms ldap lesstif libcaca libwww linguas_fr linguas_tr lirc mad maildir matroska mhash mime mmx mmxext mng mozilla mp3 mpeg msn mysql ncurses nls nvidia oav odbc ogg oggvorbis openal opengl oscar oss pam pam-mysql pcre perl php png postgres ppds pppd python qt qt3 qt4 quicktime readline real reflection samba sasl scanner session shared slang slp sockets socks5 spell spl sql sse sse2 ssl subversion svg svga tcltk tcpd tetex threads tiff tokenizer truetype truetype-fonts type1-fonts unicode usb vhosts videos vorbis win32codecs wmf x86 xanim xine xml xml2 xmms xorg xv xvid yahoo zlib userland_GNU kernel_linux elibc_glibc"
USER="root"
USERLAND="GNU"
USE_EXPAND="FRITZCAPI_CARDS FCDSL_CARDS VIDEO_CARDS DVB_CARDS LIRC_DEVICES INPUT_DEVICES LINGUAS USERLAND KERNEL ELIBC"
WINDOWID="27262981"
XARGS="xargs -r"
XAUTHORITY="/root/.xauthjbOn4R"
XCURSOR_THEME="default"
XDG_CONFIG_DIRS="/usr/kde/3.5/etc/xdg"
XDG_DATA_DIRS="/usr/kde/3.5/share:/usr/share"
XDM_MANAGED="/var/run/xdmctl/xdmctl-:0,maysd,mayfn,sched,rsvd,method=classic"
XINITRC="/etc/X11/xinit/xinitrc"
XPSERVERLIST=""
_="/usr/bin/emerge"
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-04 07:26:35 UTC 
qmail please advise.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-09-04 07:39:16 UTC 
Umm, what are you smoking?
defaultdelivery does not contain any passwords at all.

$ cat /var/qmail/control/defaultdelivery
# Uncomment the next line for .forward support
#|dot-forward .forward
./.maildir/
Comment 3 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2006-09-04 07:49:50 UTC 
Maybe he meant smtproutes, but there are no passwords in there by default and if the user changes something, it's up to him to configure his stuff correctly.