Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#264011; Package procmail.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin@piware.de>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Package: procmail
Severity: wishlist
Tags: patch
Hi Santiago!
procmail is currently installed setuid root, which is a potential
security hole and not necessary for many popular MTAs like exim4 and
postfix.
I created an updated package which asks (with debconf) whether to
install procmail suid root. Default is yes to stay compatible, but
this makes it easier to switch it off by default (as we did in
Ubuntu). In addition, setgid usage is kept to a minimum.
You can get a source package interdiff against the current 3.22-9 from
http://back.from.the.roots.no-name-yet.com/patches/procmail.minprivs.diff
The changelog entry:
|procmail (3.22-9ubuntu1) unstable; urgency=low
|
| * Minimized sgid privilege usage: right at the program start the effective
| group (mail) is reset to the real group (normally the user's primary
| group); privileged group 'mail' is just used when creating a previously
| missing default mailbox in /var/mail/<username>.
| * Added debconf question whether to install procmail setuid root (with
| default 'yes' to stay compatible). This is not needed with e. g. exim4 and
| postfix, disabling it eliminates a potential security hole.
| * Added build-dep po-debconf and dependency debconf.
| * Added German translation of debconf question.
|
| -- Martin Pitt <mpitt@debian.org> Sat, 24 Jul 2004 00:52:55 +0200
Thanks for considering and have a nice day!
Martin
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7+skas-amd
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.dehttp://www.debian.org
To: Martin Pitt <martin@piware.de>, 264011-done@bugs.debian.org
Subject: Re: Bug#264011: procmail: Please make suid installation optional
Date: Fri, 6 Aug 2004 21:49:26 +0200 (CEST)
On Fri, 6 Aug 2004, Martin Pitt wrote:
> Package: procmail
> Severity: wishlist
> Tags: patch
>
> Hi Santiago!
>
> procmail is currently installed setuid root, which is a potential
> security hole and not necessary for many popular MTAs like exim4 and
> postfix.
>
> I created an updated package which asks (with debconf) whether to
> install procmail suid root. Default is yes to stay compatible, but
> this makes it easier to switch it off by default (as we did in
> Ubuntu). In addition, setgid usage is kept to a minimum.
Sorry, I think adding a debconf question for this is an extremely bad idea.
You have already the freedom to change the default by using dpkg-statoverride,
there is no need to add a debconf question for this.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#264011; Package procmail.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin@piware.de>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Hi Santiago!
On 2004-08-06 21:49 +0200, Santiago Vila wrote:
> > procmail is currently installed setuid root, which is a potential
> > security hole and not necessary for many popular MTAs like exim4 and
> > postfix.
> >
> > I created an updated package which asks (with debconf) whether to
> > install procmail suid root. Default is yes to stay compatible, but
> > this makes it easier to switch it off by default (as we did in
> > Ubuntu). In addition, setgid usage is kept to a minimum.
>
> Sorry, I think adding a debconf question for this is an extremely bad idea.
Why do you think so? If you consider "normal" too high, then just make
it minor.
> You have already the freedom to change the default by using
> dpkg-statoverride, there is no need to add a debconf question for
> this.
This would make it easier both for automatic installations and for
Custom Debian distributions, so I think a debconf question makes
sense. Please note that I did not actually intend to show it to the
user (our Distribution has debconf priority high by default), it is
just an easy way to switch the default for different distributions.
Please consider reopening this bug. It is wishlist and should not hurt
you too much. You can tag it wontfix for my sake, but then other users
see it and can benefit from the patch if they want.
Thanks and have a nice weekend!
Martin
--
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.dehttp://www.debian.org
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>: Bug#264011; Package procmail.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
To: Martin Pitt <martin@piware.de>, 264011@bugs.debian.org
Subject: Re: Bug#264011: procmail: Please make suid installation optional
Date: Sun, 8 Aug 2004 01:22:45 +0200 (CEST)
On Sat, 7 Aug 2004, Martin Pitt wrote:
> Hi Santiago!
>
> On 2004-08-06 21:49 +0200, Santiago Vila wrote:
> > > procmail is currently installed setuid root, which is a potential
> > > security hole and not necessary for many popular MTAs like exim4 and
> > > postfix.
> > >
> > > I created an updated package which asks (with debconf) whether to
> > > install procmail suid root. Default is yes to stay compatible, but
> > > this makes it easier to switch it off by default (as we did in
> > > Ubuntu). In addition, setgid usage is kept to a minimum.
> >
> > Sorry, I think adding a debconf question for this is an extremely bad idea.
>
> Why do you think so? If you consider "normal" too high, then just make
> it minor.
I don't *even* want to suggest that dropping the suid bit might be a
good idea, which is exactly what a debconf question would do.
Some time ago there was a user complaining about procmail being suid-root.
Some days later, he was complaining about "lost email": apparently he
removed the suid bit in his system. I don't want this to happen.
A debconf question, no matter its priority, would make this to
happen easier.
> > You have already the freedom to change the default by using
> > dpkg-statoverride, there is no need to add a debconf question for
> > this.
>
> This would make it easier both for automatic installations and for
> Custom Debian distributions, so I think a debconf question makes
> sense. Please note that I did not actually intend to show it to the
> user (our Distribution has debconf priority high by default), it is
> just an easy way to switch the default for different distributions.
>
> Please consider reopening this bug. It is wishlist and should not hurt
> you too much. You can tag it wontfix for my sake, but then other users
> see it and can benefit from the patch if they want.
I don't believe in "wontfix" bugs. Either some thing is a bug and
should be fixed, or it is not and it should not be fixed.
It's not enough that "many popular MTAs" allow procmail not to be
setuid-root. If the user installs a "popular MTA" and then removes it
and install another one "less popular", allowing procmail not to be
setuid-root easily is a recipe for the disaster.
Sorry, I don't want to help people to lose email.
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.