Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 55458

Summary: qmail ebuild does not set correct conf-patrn - possible security hole
Product: Gentoo Linux Reporter: Torne Wuff <torne-gentoozilla>
Component: [OLD] ServerAssignee: Net-Mail Packages <net-mail+disabled>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Torne Wuff 2004-06-28 12:00:29 UTC 
The default conf-patrn value set at compile time for qmail is 002, which means that .qmail files which are group-writable will be run and users whose home directories are group-writable will be considered valid. Since Gentoo by default uses a single 'users' group rather than a group per user, this is a security hole as a .qmail file which has inadvertantly been made group-writable can be overwritten by any other user (or a home dir which is group-writable can have new .qmail files created in it) and qmail-local can then be made to execute arbitrary programs with the uid of the target user (which cannot be root, fortunately). The ebuild should set the value to 022 to prevent this.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-06-28 17:07:03 UTC 
i use the functionality of group-writable directories myself, and you should be damn aware of the permissions on your home directories. if they are group writable, there are many far easier ways to get the user to run whatever you want.

fix the source of the problem, don't just apply a band-aid fix like conf-patrn.