Package: cyrus-imapd
Version: cyrus-imapd
Severity: important
Tags: patch
Dear Maintainer,
* What led up to the situation?
I was owned by a cracker that explited the fact that cyrus has /bin/sh
as shell
* What exactly did you do (or not do) that was effective (or
ineffective)?
I'd set a simple password for cyrus, and expected to use that for
situations where authenticating as cyrus would be done without a shell
being opened. I run Kerberos 5 as authentication system, and GSSAPI for
my IMAP access, so giving "cyrus" a Kerberos principal was important to
get some admin stuff working.
* What was the outcome of this action?
I was owned and had to spend an evening rebooting and patching.
* What outcome did you expect instead?
Happiness ;-)
* Fix:
I've done a bunch of quick tests simply setting the cyrus user shell
to /bin/false. The IMAP server works as before, but I've not tested
all functions. If for some reason, the shell must remain usable, it is
probably advisable to admonish people into setting a good password.
-- System Information:
Debian Release: 8.7
APT prefers stable
APT policy: (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
