Package: courier-authlib
Version: 0.71.0-1
Tags: upstream security buster stretch bullseye
Justification: user security hole
Severity: grave
Usertags: security
The /usr/sbin/auth is a program that can test from a
installation setup if authlib daemon are working
without the complete courier suite installed
(for cluster or distributed environment as i made it)
Currently as normal user, it can be accessed
to users database if we setup mysql, postgres
or sqlite, inclusively ldap setups.. i mean,
a limited account can query users mail data
to made some kind of attack
This information is reveal from DB:
serveruno:$ authtest test
Authentication succeeded.
Authenticated: test (uid 244, gid 244)
Home Directory: /home/users/intranetusers/test
Maildir: /home/users/intranetusers/test/Maildir
Quota: (none)
Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b
Cleartext Password: 1
Options: (none)
Of course clear password is a good practice do not store ..
but in intranets and corporate environments
knowed password are mandatory due management
of users..
In any case, this information is too open,
We used the authpasswd to check users db
setup is working on changes and upgrades
For this upgrade from a stable installation
to proper test lasted version before send this report,
the problem is present in all the versions of debian
packaged
I asked to upstream but is so obvious this problem
so i send to Debian,a sense solution is limit the
access to program (what i do):
chmod 750 /usr/sbin/authtest
chown courier:root /usr/sbin/authtest
i already ask to upstream but i dont know what SAm will think about it!
ADDITIONAL NOTE: the package that own the program is authlib.. this
is completely wrong.. cos important setup is not retrieved by
reportbug like the authdaemon setup files modified.. the
/usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest
must belong to authdaemon (to make sense)
Kernel: Linux 5.10.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages courier-authlib depends on:
ii adduser 3.118
ii libc6 2.31-9
ii libgcc-s1 10.2.1-6
ii libgdbm6 1.19-2
ii libltdl7 2.4.6-15
ii libpam0g 1.4.0-6
ii libstdc++6 10.2.1-6
Versions of packages courier-authlib recommends:
pn expect <none>
courier-authlib suggests no packages.
-- no debconf information
