Bug#854286: cyrus-imapd: cyrus user has a working shell.
Ondřej Surý
ondrej at sury.org
Tue Feb 7 15:47:21 UTC 2017
Let's see:
https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2017-February/004000.html
(Also please keep 854286 at bugs.debian.org in Cc: in future replies)
Cheers,
--
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
On Tue, Feb 7, 2017, at 16:04, Måns Nilsson wrote:
> Subject: Re: Bug#854286: cyrus-imapd: cyrus user has a working shell.
> Date: Tue, Feb 07, 2017 at 02:02:22PM +0100 Quoting Ondřej Surý
> (ondrej at sury.org):
> > Control: tags -1 +moreinfo
> >
> > Hi Mans,
> >
> > the cyrus user is created with disabled credentials:
> >
> > adduser --quiet --system --ingroup mail --home /var/spool/cyrus
> > \
> > --shell /bin/sh --no-create-home --disabled-password \
> > --gecos "Cyrus Mailsystem User" cyrus >/dev/null
> >
> > and as you have changed that I don't see how it's a package fault that
> > you chose to use a weak password?
> >
> > Disabling the shell is a not strong security countermeasure for a weak
> > passwords - f.e. the attacker might have been able to modify the sieve
> > scripts by authenticating to the cyrus user, etc.
>
> Hi,
>
> I know I did chose a bad password, that is my fault; no discussion on
> that ;-)
>
> But, as I use Kerberos the '--disabled-password' is moot. I can create a
> user
> with :*: in the shadow file and login anyway; I do that frequently. We
> need some other method...
>
> It all boils down to -- for what purpose does the curus user need a
> shell?
>
> --
> Måns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE +46 705 989668
> I can't think about that. It doesn't go with HEDGES in the shape of
> LITTLE LULU -- or ROBOTS making BRICKS ...
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list