Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 23502

Summary: Insecure Permissions set on /etc/vpopmail.conf after emerging vpopmail with mysql use flag
Product: Gentoo Linux Reporter: Will Robertson <will>
Component: [OLD] ServerAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: grandmasterlinux, robbat2, security, swtaylor
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Will Robertson 2003-06-25 18:17:26 UTC 
the /etc/vpopmail.conf file contains unencrypted password information for 
accessing the MySQL db to modify the vpopmail tables. However, by default the 
file is world readable.

Reproducible: Always
Steps to Reproduce:
1. Enable USE flag mysql
2. Emerge vpopmail and dependencies
3. Look at /etc/vpopmail.conf permissions
Actual Results:  
-rw-r--r--    1 root     root          427 Jun 25 18:43 vpopmail.conf

Expected Results:  
the passwords should either be stored elsewhere in a secure location, or this 
file should not be world readable.

This could cause a severe security problem for hosting companies, in that users 
can access mail user tables freely.

rogue bin # emerge info
Portage 2.0.48-r1 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4)
=================================================================
System uname: 2.4.20-gentoo-r1 i686 Celeron (Mendocino)
GENTOO_MIRRORS="http://gentoo.oregonstate.edu 
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi
g /usr/kde/3/share/config"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
PORTDIR="/usr/portage"
DISTDIR="/usr/portage/distfiles"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR_OVERLAY=""
USE="x86 libwww mmx ncurses nls spell xml2 zlib gdbm slang readline pam ssl 
perl python apm berkdb crypt mysql curl imap"
COMPILER="gcc3"
CHOST="i686-pc-linux-gnu"
CFLAGS="-O2 -mcpu=i686 -pipe"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
ACCEPT_KEYWORDS="x86"
MAKEOPTS="-j2"
AUTOCLEAN="yes"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
FEATURES="sandbox ccache"

rogue bin #
Comment 1 Will Robertson 2003-06-25 21:36:28 UTC 
reducing criticality after reviewing other bugs trying to find the right critical level.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2003-08-06 01:30:49 UTC 
Fixed in -r6 coming shortly.

Security: should we do a GLSA about this?
Comment 3 John Mylchreest (RETIRED) gentoo-dev 2003-10-01 12:28:26 UTC 
I feel we should, asking people to bump to the newest version, or to fix
file permissions manually.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2003-10-01 14:22:13 UTC 
GLSA details:
Vunerable versions: anything before vpopmail-5.2.1-r6
Non Vunerable versions: vpopmail-5.2.1-r6
Comment 5 John Mylchreest (RETIRED) gentoo-dev 2003-10-02 12:11:09 UTC 
GENTOO LINUX SECURITY ANNOUNCEMENT 200310-01 was sent to gentoo-announce@gentoo.org,
bugtraq@securityfocus.com and full-disclosure@lists.netsys.com
Comment 6 Scott Taylor (RETIRED) gentoo-dev 2003-10-05 14:38:47 UTC 
I see how this file is getting the 600 permission, but after letting emerge
do its thing, the file /etc/vpopmail.conf was still owned by root, therefore
unreadable by the delivery program that needed to read that conf file. "chown
vpopmail /etc/vpopmail.conf" got my mail running again. Did I follow an uncommon
install/upgrade path or is the ebuild just not setting ownership when it
should be?