Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 82316

Summary: courier-authlib-0.53 needs to set proper permissions
Product: Gentoo Linux Reporter: Adam Theo <theo>
Component: New packagesAssignee: Scott Taylor (RETIRED) <swtaylor>
Status: RESOLVED INVALID    
Severity: normal CC: iggy, korte, net-mail+disabled, wicher
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Adam Theo 2005-02-17 00:26:11 UTC 
I recently upgraded to 'Courier-IMAP' v4 from v3, and after solving the already known problems about manually migrating 'authdaemond' to 'courier-authlib', I ran into another problem when trying to get my old postfix to work with the new authdaemond socket (I have my postfix's SASL2 use authdaemond instead of saslauthd).

Outbound mail was being rejected by Postfix because of authentication failure. The error given in the postfix logs: "cannot connect to Courier authdaemond: Permission denied". I figured out that the new socket created by courier-authlib can't be accessed by Postfix because a higher-up directory has permissions preventing access by users not in the 'mail' group. This directory was '/var/lib/courier/authdaemon'.

I worked around this problem by 'chmod 755' this directory, but I imagine a better solution would be for the courier-authlib ebuild to warn the users that they need to add any services using authdaemond to the 'mail' group.

Reproducible: Always
Steps to Reproduce:
1. emerge & configure courier-authlib
2. configure postfix/sasl2 to use authdaemond instead of saslauthd

Actual Results:  
Outbound mail was being rejected by Postfix because of authentication failure.
The error given in the postfix logs: "cannot connect to Courier authdaemond:
Permission denied"
Comment 1 Scott Taylor (RETIRED) gentoo-dev 2005-02-17 17:20:52 UTC 
This directory absolutely must not be world-readable as that permits the world to
query the list of users on the system and in the databases, as well as their
passwords, which is a very, VERY bad thing. Yes we should see about getting the
mailservers like postfix to all be in a matching group. You've opted for a big
information disclosure vulnerability to any local user on your system with that
set of permissions though.
Comment 2 Jory A. Pratt 2005-06-04 21:06:05 UTC 
I personally would like to know what user authdeamon is being run as and what
postfix is being run as .. most common problem I have seen is two different
users are running the service instead of same user for both.
Comment 3 Tuan Van (RETIRED) gentoo-dev 2005-06-04 23:08:08 UTC 
(In reply to comment #0)

> I worked around this problem by 'chmod 755' this directory, 
as comment #1 stated, it's a bad thing.

> they need to add any services using authdaemond to the 'mail' group.
agree. `gpasswd -a postfix mail` should work for postfix. Similar for other
services. And no, we are not going to change postfix to smtpd run as "mail"
instead of "postfix". You just have to add postfix to mail group by yourself.
We'll change cyrus-sasl ebuild to warn the users if USE=authdaemon. It's up to
Scott to add the warning to courier-authlib or WONTFIX.
Comment 4 Henti Smith 2005-07-13 00:34:20 UTC 
Ummm ... where can I find information on "the already known problems about
manually migrating 'authdaemond' to 'courier-authlib'" ? 

I was forced to update qmail to relay-ctrl which broke courier etc etc. 

help *beg*
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2005-07-17 11:18:53 UTC 
Mass re-assign, seems like mail-mta/courier needs a maintainer.
Comment 6 Marek Kwasceki 2005-08-01 10:42:46 UTC 
(In reply to comment #4)
> Ummm ... where can I find information on "the already known problems about
> manually migrating 'authdaemond' to 'courier-authlib'" ? 
> 
> I was forced to update qmail to relay-ctrl which broke courier etc etc. 
> 
> help *beg* 

maybe #98745?
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2005-08-24 11:03:01 UTC 
*** Bug 103602 has been marked as a duplicate of this bug. ***
Comment 8 Wicher Minnaard 2005-08-24 14:33:22 UTC 
Why is bug 103602 a duplicate? It's not clear to me. Could be me, but I guess 
the pidof bug results from an initscript error, while bug 82316 is about 
permissions (and postfix, and sasl2).
Comment 9 Jakub Moc (RETIRED) gentoo-dev 2006-02-18 10:46:34 UTC 
There's no bug here, the permissions are correct. See comment #1 and comment #3. cyrus-sasl now warns about this, closing.
Comment 10 Chris Mayo 2021-12-19 17:10:47 UTC 
*** Bug 829411 has been marked as a duplicate of this bug. ***