Let's see: https://lists.andrew.cmu.edu/pipermail/cyrus-devel/2017-February/004000.html
(Also please keep 854...@bugs.debian.org in Cc: in future replies) Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Tue, Feb 7, 2017, at 16:04, Måns Nilsson wrote: > Subject: Re: Bug#854286: cyrus-imapd: cyrus user has a working shell. > Date: Tue, Feb 07, 2017 at 02:02:22PM +0100 Quoting Ondřej Surý > (ond...@sury.org): > > Control: tags -1 +moreinfo > > > > Hi Mans, > > > > the cyrus user is created with disabled credentials: > > > > adduser --quiet --system --ingroup mail --home /var/spool/cyrus > > \ > > --shell /bin/sh --no-create-home --disabled-password \ > > --gecos "Cyrus Mailsystem User" cyrus >/dev/null > > > > and as you have changed that I don't see how it's a package fault that > > you chose to use a weak password? > > > > Disabling the shell is a not strong security countermeasure for a weak > > passwords - f.e. the attacker might have been able to modify the sieve > > scripts by authenticating to the cyrus user, etc. > > Hi, > > I know I did chose a bad password, that is my fault; no discussion on > that ;-) > > But, as I use Kerberos the '--disabled-password' is moot. I can create a > user > with :*: in the shadow file and login anyway; I do that frequently. We > need some other method... > > It all boils down to -- for what purpose does the curus user need a > shell? > > -- > Måns Nilsson primary/secondary/besserwisser/machina > MN-1334-RIPE +46 705 989668 > I can't think about that. It doesn't go with HEDGES in the shape of > LITTLE LULU -- or ROBOTS making BRICKS ... > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature)
