Package: dovecot-core Version: 1:2.1.7-7 Severity: important Tags: security
According to http://wiki2.dovecot.org/UserIds upstream recomends special restrictions to user dovenull: dovenull user is used internally for processing users' logins. It shouldn't have access to any files, authentication databases or anything else either. It should belong to its own private dovenull group where no one else belongs to, and which doesn't have access to any files either (other than what Dovecot internally creates). Important part: ... private dovenull group where no one else belongs ... Currently my install has: $ id dovenull $ uid=107(dovenull) gid=65534(nogroup) groups=65534(nogroup) And to nogroup belongs plenty of other users: $ cat /etc/passwd | grep ':65534:' $ sync:x:4:65534:sync:/bin:/bin/sync $ nobody:x:65534:65534:nobody:/nonexistent:/bin/sh $ sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin $ dovenull:x:107:65534:Dovecot login user,,,:/nonexistent:/bin/false This configuration mismatch is not described in: /usr/share/doc/dovecot-core/README.Debian.gz This does not follow upstream recomendations and can rise unplaned security issues. Please fix this or explain in /usr/share/doc/dovecot-core/README.Debian.gz why debian does not follow upstream recomendation. -- Package-specific info: -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-7-pve (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages dovecot-core depends on: ii adduser 3.113+nmu3 ii libbz2-1.0 1.0.6-4 ii libc6 2.13-38 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libssl1.0.0 1.0.1e-2 ii openssl 1.0.1e-2 ii ucf 3.0025+nmu3 ii zlib1g 1:1.2.7.dfsg-13 dovecot-core recommends no packages. Versions of packages dovecot-core suggests: pn dovecot-gssapi <none> ii dovecot-imapd 1:2.1.7-7 pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> pn dovecot-pgsql <none> pn dovecot-pop3d <none> pn dovecot-sieve <none> pn dovecot-solr <none> pn dovecot-sqlite <none> pn ntp <none> Versions of packages dovecot-core is related to: ii dovecot-core [dovecot-common] 1:2.1.7-7 pn dovecot-dbg <none> pn dovecot-dev <none> pn dovecot-gssapi <none> ii dovecot-imapd 1:2.1.7-7 pn dovecot-ldap <none> pn dovecot-lmtpd <none> pn dovecot-managesieved <none> pn dovecot-mysql <none> pn dovecot-pgsql <none> pn dovecot-pop3d <none> pn dovecot-sieve <none> pn dovecot-sqlite <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
