Bug#557948: ssmtp severity 557948 normal
Sune Vuorela <Sune@vuorela.dk> writes:
> A while ago, ssmtp started requiring users to be in group:mail to be
> able to send emails. As "mail" traditionally is the group (and user) for
> mail transporting in general, as this is how /var/mail/* is governed.
At first glance, the analysis in the bug log from Rémi Denis-Courmont
appears to be correct to me. Group mail is a privileged system group
which has read/write access to everyone's mail in one of the two mail
permission configurations that Debian explicitly supports (see Policy
11.6). It also allows a user in that group to delete anyone else's mail
spool due to the default permissions on /var/mail. Overloading that group
to control who can send outgoing mail looks like a bad conflation of two
different privileges that will lead to users being given excessive and
unexpected privileges.
However, all that's happened to date in the public bug log is that the
maintainer has changed the severity; there's no wontfix tag or indication
that the bug won't be fixed.
Aníbal, could you give some more background on your plans here? I don't
think the severity is really the relevant question; the question is more
whether you intend to keep the current behavior or if you already have
plans to change it. If you plan to change it, then it probably doesn't
matter a great deal what the bug severity is set to.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: