Hi,
Following user questions, here's my understanding of the current situation:
- The issue is partially fixed in Debian by optionally not setting the
setuid permissions (debconf question), and setting 'aliases_program' to
a method that does not require root (postmap/postalias for Postfix,
/bin/true for Exim4, etc.).
- Likewise, the issue is partially fixed in upstream dev through
./configure --disable-setuid_newaliases --disable-setuid
- The issue will be completely fixed once all MTAs are supported, in
particular sendmail which requires calling 'newaliases' as root. This
could be done e.g. setuid-wrapping not sympa but just the 'newaliases'
command, or dropping support for root 'newaliases' entirely.
- Upstream tracks this issue at
https://github.com/sympa-community/sympa/issues/1009
Discuss the issue there in priority.
Cheers!
Sylvain
