[Secure-testing-team] Bug#725164: dovenull user has wrong group

roma1390 roma1390 at gmail.com
Wed Oct 2 07:43:00 UTC 2013 

Package: dovecot-core
Version: 1:2.1.7-7
Severity: important
Tags: security


According to http://wiki2.dovecot.org/UserIds upstream recomends special
restrictions to user dovenull:

  dovenull user is used internally for processing users' logins. It shouldn't
  have access to any files, authentication databases or anything else either.
  It should belong to its own private dovenull group where no one else belongs
  to, and which doesn't have access to any files either (other than what Dovecot
  internally creates).

Important part: ... private dovenull group where no one else belongs ...

Currently my install has:
 $ id dovenull
 $ uid=107(dovenull) gid=65534(nogroup) groups=65534(nogroup)

And to nogroup belongs plenty of other users:
 $ cat /etc/passwd | grep ':65534:'
 $ sync:x:4:65534:sync:/bin:/bin/sync
 $ nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 $ sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
 $ dovenull:x:107:65534:Dovecot login user,,,:/nonexistent:/bin/false

This configuration mismatch is not described in:
 /usr/share/doc/dovecot-core/README.Debian.gz

This does not follow upstream recomendations and can rise unplaned security
issues.

Please fix this or explain in /usr/share/doc/dovecot-core/README.Debian.gz
why debian does not follow upstream recomendation.


-- Package-specific info:

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-7-pve (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages dovecot-core depends on:
ii  adduser         3.113+nmu3
ii  libbz2-1.0      1.0.6-4
ii  libc6           2.13-38
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libssl1.0.0     1.0.1e-2
ii  openssl         1.0.1e-2
ii  ucf             3.0025+nmu3
ii  zlib1g          1:1.2.7.dfsg-13

dovecot-core recommends no packages.

Versions of packages dovecot-core suggests:
pn  dovecot-gssapi        <none>
ii  dovecot-imapd         1:2.1.7-7
pn  dovecot-ldap          <none>
pn  dovecot-lmtpd         <none>
pn  dovecot-managesieved  <none>
pn  dovecot-mysql         <none>
pn  dovecot-pgsql         <none>
pn  dovecot-pop3d         <none>
pn  dovecot-sieve         <none>
pn  dovecot-solr          <none>
pn  dovecot-sqlite        <none>
pn  ntp                   <none>

Versions of packages dovecot-core is related to:
ii  dovecot-core [dovecot-common]  1:2.1.7-7
pn  dovecot-dbg                    <none>
pn  dovecot-dev                    <none>
pn  dovecot-gssapi                 <none>
ii  dovecot-imapd                  1:2.1.7-7
pn  dovecot-ldap                   <none>
pn  dovecot-lmtpd                  <none>
pn  dovecot-managesieved           <none>
pn  dovecot-mysql                  <none>
pn  dovecot-pgsql                  <none>
pn  dovecot-pop3d                  <none>
pn  dovecot-sieve                  <none>
pn  dovecot-sqlite                 <none>

-- no debconf information

More information about the Secure-testing-team mailing list