Re: RFC: courier-webadmin
On 15999 March 1977, Markus Wanner wrote:
I'm currently considering to drop the binary package courier-webadmin
from the packaged courier suite due to security concerns. This is a
CGI
binary allowing web based configuration of the Courier MTA. To modify
the configuration and restart the server(s), it needs to be setuid
root.
[description of that stuff]
This is inspired by discussions with a disappointed user providing
valuable feedback (in combination with somewhat less valuable feedback
and in English sentences I have a hard time to understand) [2], [3].
So the code itself is not actually the security risk (minus any possible
bugs, obviously), but the way it has to run and will be setup allows one
to open holes that can lead to abuse of the courier service on the
machine?
That does not sound like a good reason to drop it, but more like one to
ensure that the config you ship is as secure as possible, possibly with
information for the admin on what they need to keep in mind when
adjusting it. It might make security drop a bit when installed, but
(depending on how much this allows), there might be users actually
depending on it for their instances.
If I'm going to drop this binary package, is a warning in NEWS enough
(in courier-base, a dependency), or shall I better provide an empty
shim
package that actually removes the setuid binary (when upgraded)?
If you decide to remove it, ensuring you don't leave unmaintained files
around is a good thing.
--
bye, Joerg
Reply to: