Hi, I am not subscribed to debian-security, so please include me in your Cc: for this discussion. I have noticed a "fax" user was expected in mgetty-1.1.30 (never played with 1.1.29). The problem I have with that is that this user is required at build time (during the make install phase). Another problem is that Debian does not have such a user, although one used to exist temporarily for hylafax a couple of years ago. Now, hylafax is using uucp, so is pppd and every communication server package I know of in Debian. The problem here seems to be that mgetty's sendfax was running under used root. Now, if we use uucp (which I have modified mgetty 1.1.30 for last week), I don't see where the problem is. I don't see the point in requesting the creation of a user for one little program nor do I judge this compromise (using uucp) as a security issue. Please correct me if I am wrong though. Wolfgang ps: now it seems Debian mgetty's sendfax is broken since 1.1.30, but this is another issue which will be fixed before next week.
Attachment:
pgpvfMiZuTH7T.pgp
Description: PGP signature