Martin Wache <wa...@abstracture.de> writes: > Package: nullmailer > Version: 1:1.13-1.2 > > To reproduce, install nullmailer, add a remote servers using smtp with > user/password via debian configuration. > The stmp server user and password will be stored in > /etc/nullmailer/remotes with mode 600, user mail:mail. > When e-mails are send the smtp helper is called with the credentials in > the command line. Any local user can now see the password using ps, etc: > > heinz@.....:~$ ps ax | grep smtp > 11252 ? S 0:00 /usr/lib/nullmailer/smtp -d -s --ssl > --user=...@abstracture.de --pass=XXXX smtp.mail.com > 11254 pts/0 S+ 0:00 grep smtp > > I have replaced the actual password with XXXX in this example. > > Expected behaviour is not to show the smtp password in the command line > to any user. > > Regards, > > Martin Wache
Hi Martin I believe this bug is fixed in the 2.x series of nullmailer, which changed the way that arguments are passed to the helper. If you would like to test, 2.1 is available from stretch backports. There could be configuration incompatibilities between 1.x and 2.x, so I would recommend testing on a non-mission-critical machine. d
