Bug#854286: cyrus-imapd: cyrus user has a working shell.

Ondřej Surý ondrej at sury.org
Tue Feb 7 13:02:22 UTC 2017 

Control: tags -1 +moreinfo

Hi Mans,

the cyrus user is created with disabled credentials:

        adduser --quiet --system --ingroup mail --home /var/spool/cyrus
        \
           --shell /bin/sh --no-create-home --disabled-password \
           --gecos "Cyrus Mailsystem User"  cyrus >/dev/null

and as you have changed that I don't see how it's a package fault that
you chose to use a weak password?

Disabling the shell is a not strong security countermeasure for a weak
passwords - f.e. the attacker might have been able to modify the sieve
scripts by authenticating to the cyrus user, etc.

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sun, Feb 5, 2017, at 19:44, Mans Nilsson wrote:
> Package: cyrus-imapd
> Version: cyrus-imapd
> Severity: important
> Tags: patch
> 
> Dear Maintainer,
> 
>    * What led up to the situation?
> 
> I was owned by a cracker that explited the fact that cyrus has /bin/sh
> as shell
> 
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 
> I'd set a simple password for cyrus, and expected to use that for
> situations where authenticating as cyrus would be done without a shell
> being opened. I run Kerberos 5 as authentication system, and GSSAPI for
> my IMAP access, so giving "cyrus" a Kerberos principal was important to
> get some admin stuff working.
> 
>    * What was the outcome of this action?
> 
> I was owned and had to spend an evening rebooting and patching. 
> 
>    * What outcome did you expect instead?
> 
> Happiness ;-) 
> 
>    * Fix: 
> 
> I've done a bunch of quick tests simply setting the cyrus user shell
> to /bin/false. The IMAP server works as before, but I've not tested
> all functions.  If for some reason, the shell must remain usable, it is
> probably advisable to admonish people into setting a good password.
> 
> -- System Information:
> Debian Release: 8.7
>   APT prefers stable
>   APT policy: (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
> 
> _______________________________________________
> Pkg-Cyrus-imapd-Debian-devel mailing list
> Pkg-Cyrus-imapd-Debian-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-imapd-debian-devel

More information about the Pkg-Cyrus-imapd-Debian-devel mailing list