[Secure-testing-team] Bug#609762: amavisd-milter: Init script changes owner of current directory to 'amavis'

[Gabor Kiss]

Package: amavisd-milter
Version: 1.5.0-2
Severity: grave
Tags: security
Justification: user security hole

After "sudo bash" I issued "/etc/init.d/amavisd-milter restart".
What a surprise! My home directory got owned by user amavis.

Running init script under bash -vx reveals the problem:

[ $MILTERSOCKET ] && ([ -d $(dirname $MILTERSOCKET) ] || mkdir $(dirname $MILTERSOCKET) && chown $USER $(dirname $MILTERSOCKET))
+ '[' inet6:60001 ']'
dirname $MILTERSOCKET
++ dirname inet6:60001
+ '[' -d . ']'
dirname $MILTERSOCKET
++ dirname inet6:60001
+ chown amavis .

Yes, of course: the root directory is also owned by amavis(!!!) due
to the first boot process since installing amavisd-milter package. :-(

And some other random directories too that were cwd when starting
daemon by hand. 

Gabor

-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (700, 'stable'), (500, 'proposed-updates')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages amavisd-milter depends on:
ii  amavisd-new            1:2.6.4-1~bpo50+1 Interface between MTA and virus sc
ii  libc6                  2.7-18lenny7      GNU C Library: Shared libraries
ii  libmilter1.0.1         8.14.3-5+lenny1   Sendmail Mail Filter API (Milter)

Versions of packages amavisd-milter recommends:
ii  postfix                       2.5.5-1.1  High-performance mail transport ag

amavisd-milter suggests no packages.

-- no debconf information