RFC: courier-webadmin

To: debian-devel@lists.debian.org
Subject: RFC: courier-webadmin
From: Markus Wanner <markus@bluegap.ch>
Date: Thu, 31 Dec 2020 13:21:44 +0100
Message-id: <[🔎] 2473d747-332e-00af-0d0f-ea39c1f1ee27@bluegap.ch>

Hi,

as the currently maintainer of courier [0], I'd like some advice frommore experienced DDs.

I'm currently considering to drop the binary package courier-webadminfrom the packaged courier suite due to security concerns. This is a CGIbinary allowing web based configuration of the Courier MTA. To modifythe configuration and restart the server(s), it needs to be setuid root.


Security measures in place:

* the package warns about risks with setuid binaries and the user
  explicitly needs to enable the feature (it simply doesn't work if the
  user denies though - rendering the installation of the package
  pointless)

* the setuid binary is a tiny (72 lines) C program that drops
  permissions and invokes a Perl script

* the Perl script by default only serves requests that are either
  originating from the local host *or* which are SSL encrypted


Concerns:

* to save changes, the C wrapper does not drop permissions, but invokes
  the Perl script directly with root rights.

* a reverse proxy happily forwards HTTP requests appearing as local to
  the CGI script, thus potentially circumventing this barrier.

* the user normally used is the same that runs the MTA or IMAP server,
  i.e. user 'courier'.  Meaning even in dropped privileges mode, the
  Perl script has all the rights the MTA or IMAP server have.

* the password is stored and transported in plain text

* the password gets stored in plain text in a cookie on the
  user's browser

* lack of any audit traces of who changed what or when

* upstream's INSTALL reads: "This is not Fort Knox, and webadmin is not
  going to be publicly accessible, so the only needed security is to
  keep everyone out except for authorized IP addresses."

This is inspired by discussions with a disappointed user providingvaluable feedback (in combination with somewhat less valuable feedbackand in English sentences I have a hard time to understand) [2], [3].

If I'm going to drop this binary package, is a warning in NEWS enough(in courier-base, a dependency), or shall I better provide an empty shimpackage that actually removes the setuid binary (when upgraded)?

I've clearly neglected this package for too long already and haverequested an RFH as well [1]. And yes, this left some users unhappy andthey are rightfully frustrated. Dropping support for courier-webadminmight not help that, either. And wastes all the effort of previousmaintainers. However, I clearly don't feel comfortable maintaining*that* part of courier.


Thoughs? Comments? Recommendations?

Best Regards

Markus


[0]: https://tracker.debian.org/pkg/courier
[1]: RFH: courier bug: https://bugs.debian.org/978755
[2]: https://salsa.debian.org/debian/courier/-/merge_requests/9
[3]: https://bugs.debian.org/341205

Reply to:

Follow-Ups:
- Re: RFC: courier-webadmin
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Bug#978741: ITP: dde-account-faces -- Deepin Account face Images
Next by Date: On doing 540 no-source-change source-only uploads in two weeks
Previous by thread: Bug#978741: ITP: dde-account-faces -- Deepin Account face Images
Next by thread: Re: RFC: courier-webadmin
Index(es):
- Date
- Thread