|Summary:||qmail requires checkpassword and cmd5checkpw, which aren't always used|
|Product:||Gentoo Linux||Reporter:||Kyle England (RETIRED) <kengland>|
|Component:||New packages||Assignee:||Qmail Team (OBSOLETE) <qmail-bugs+disabled>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Kyle England (RETIRED) 2005-02-26 15:41:45 UTC
qmail installs both checkpassword and cmd5checkpw This may be great for some installs, but they're not needed on others. The recent GLSA brought this to my attention. http://www.gentoo.org/security/en/glsa/glsa-200502-30.xml I realize that if I'm not using it, I don't have much to worry about, but still. If it's not needed, I don't want it on my server. Reproducible: Always Steps to Reproduce: 1. emerge qmail 2. 3. Expected Results: A USE flag related to checkpassword and cmd5checkpw would be nice. If that existed, these packages could be installed, only if needed.
Comment 1 Russell Smith 2005-05-25 17:30:43 UTC
The converse bug to this is the fact that their are multiple checkpassword implementations. Currently only two are in portage. The default, and checkpassword-pam. However qmail requires that checkpassword is installed, as mentioned in the initial report. You should be able to install a different checkpassword.
Comment 2 Bernd Wurst 2005-06-06 03:17:23 UTC
I would like to add, that you can supply a use-flag named "noauthcram" in newest qmail ebuilds. If this flag is supplied, cmd5checkpw really should not be installed!
Comment 3 Michael Hanselmann (hansmi) (RETIRED) 2005-08-10 14:25:53 UTC
The problem with this is, that if the user decides to enable the corresponding options in conf-smtpd (cmd5checkpw), things will break. Can this be tollerated?
Comment 4 Bernd Wurst 2005-08-11 08:28:40 UTC
I obviously would say yes. ;-) What about a "big fat warning" insde the configfile?
Comment 5 Michael Hanselmann (hansmi) (RETIRED) 2005-08-11 09:55:26 UTC
Sounds good. I'll implement this.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) 2005-08-14 04:02:19 UTC
Done in CVS. Can you please check wether it's what you meant?
Comment 7 Michael Hanselmann (hansmi) (RETIRED) 2005-09-11 14:27:27 UTC
No response in a month, closing.