On Mon, Jan 11, 2010 at 04:10:28PM -0800, Russ Allbery wrote: >Sune Vuorela <Sune@vuorela.dk> writes: > >>A while ago, ssmtp started requiring users to be in group:mail to be >>able to send emails. As "mail" traditionally is the group (and user) >>for mail transporting in general, as this is how /var/mail/* is >>governed. > >At first glance, the analysis in the bug log from Rémi Denis-Courmont >appears to be correct to me. Group mail is a privileged system group >which has read/write access to everyone's mail in one of the two mail >permission configurations that Debian explicitly supports (see Policy >11.6). It also allows a user in that group to delete anyone else's >mail spool due to the default permissions on /var/mail. Overloading >that group to control who can send outgoing mail looks like a bad >conflation of two different privileges that will lead to users being >given excessive and unexpected privileges. I didn't want to create yet another group. Are you suggesting to create a new one just for ssmtp? >However, all that's happened to date in the public bug log is that the >maintainer has changed the severity; there's no wontfix tag or >indication that the bug won't be fixed. > >Aníbal, could you give some more background on your plans here? I >don't think the severity is really the relevant question; the question >is more whether you intend to keep the current behavior or if you >already have plans to change it. If you plan to change it, then it >probably doesn't matter a great deal what the bug severity is set to. I would like to fix it by ecrypting the password but it'll take me some time. If someone could provide ideas/hints/patches they will be very much appreciated. >-- >Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Attachment:
signature.asc
Description: Digital signature