Bug#379082: cyrus-imapd-2.2: tighten security on lmtp unix domain
socket
Ross Boylan
ross at betterworld.us
Fri Jul 21 05:52:00 UTC 2006
Package: cyrus-imapd-2.2
Version: 2.2.13-3
Severity: wishlist
In a new install, I get
# ls -l /var/run/cyrus/socket/
srwxrwxrwx 1 root root 0 2006-07-20 22:25 lmtp
srwxrwxrwx 1 root root 0 2006-07-20 22:25 notify
*If* I understand this correctly, that means anyone on the local
system can write to the lmtp socket, and they will then authenticate
as an administrative user (says "Cyrus IMAP Server: Overview and
Concepts"--Readme.Debian has a cryptic note about authenticating as
"postman").
This seems it might be a security problem (the same Cyrus doc says
access is limited by controlling access to the socket).
I know the Debian docs note several times one can change the
permissions, but perhaps it should ship with a more restrictive
configuration. Or perhaps I'm confused.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages cyrus-imapd-2.2 depends on:
ii cyrus-common-2.2 2.2.13-3 Cyrus mail system (common files)
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libdb4.2 4.2.52-23.1 Berkeley v4.2 Database Libraries [
ii libsasl2 2.1.19.dfsg1-0.2 Authentication abstraction library
ii libssl0.9.8 0.9.8b-2 SSL shared libraries
ii libwrap0 7.6.dbs-9 Wietse Venema's TCP wrappers libra
cyrus-imapd-2.2 recommends no packages.
-- no debconf information
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list