Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On 21.08.2012 19:51, Bart Martens wrote:
> Hi Nick,
>
> On Tue, Aug 21, 2012 at 09:29:28AM +0100, Nick Leverton wrote:
>> Thanks also Bart for reminding me of the other approach.
>
> My pleasure.
>
>> (sorry I am
>> a bit distracted by home things at the moment).
>
> No problem at all.
>
>> diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
>> --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100
>> +++ nullmailer-1.11/debian/postinst 2012-08-21 09:07:21.000000000 +0100
>> @@ -24,6 +24,15 @@
>> fi
>>
>> db_get nullmailer/relayhost
>> + # securely create nullmailer/remotes with mode 0600
>> + if [ ! -e /etc/nullmailer/remotes ]
>> + then
>> + M=$( umask )
>> + umask 077
>> + > /etc/nullmailer/remotes
>> + chown mail:mail /etc/nullmailer/remotes
>> + umask $M
>> + fi
>> echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
>> -e 's/[[:space:]]*:[[:space:]]*/\n/g' \
>> -e ':b s/(\[[^]=]*)=/\1:/; tb' \
>
> What if the file already exists : No chmod and no chown needed then ?
It's a good question, but I'd say the current code is right.
It is admin decision to change permission/ownership, we should
not alter thsese decision. The only problem remains is
insecure permissions of the previously created file (which
is the whole point of this bugreport and the upload)...
/mjt
Reply to: