Bug#854286: cyrus-imapd: cyrus user has a working shell.
Ondřej Surý
ondrej at sury.org
Tue Feb 7 13:02:22 UTC 2017
Control: tags -1 +moreinfo
Hi Mans,
the cyrus user is created with disabled credentials:
adduser --quiet --system --ingroup mail --home /var/spool/cyrus
\
--shell /bin/sh --no-create-home --disabled-password \
--gecos "Cyrus Mailsystem User" cyrus >/dev/null
and as you have changed that I don't see how it's a package fault that
you chose to use a weak password?
Disabling the shell is a not strong security countermeasure for a weak
passwords - f.e. the attacker might have been able to modify the sieve
scripts by authenticating to the cyrus user, etc.
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Sun, Feb 5, 2017, at 19:44, Mans Nilsson wrote:
> Package: cyrus-imapd
> Version: cyrus-imapd
> Severity: important
> Tags: patch
>
> Dear Maintainer,
>
> * What led up to the situation?
>
> I was owned by a cracker that explited the fact that cyrus has /bin/sh
> as shell
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> I'd set a simple password for cyrus, and expected to use that for
> situations where authenticating as cyrus would be done without a shell
> being opened. I run Kerberos 5 as authentication system, and GSSAPI for
> my IMAP access, so giving "cyrus" a Kerberos principal was important to
> get some admin stuff working.
>
> * What was the outcome of this action?
>
> I was owned and had to spend an evening rebooting and patching.
>
> * What outcome did you expect instead?
>
> Happiness ;-)
>
> * Fix:
>
> I've done a bunch of quick tests simply setting the cyrus user shell
> to /bin/false. The IMAP server works as before, but I've not tested
> all functions. If for some reason, the shell must remain usable, it is
> probably advisable to admonish people into setting a good password.
>
> -- System Information:
> Debian Release: 8.7
> APT prefers stable
> APT policy: (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
>
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list