Bug#652520: esmtp does not allow its config file to be a symlink

Sat, 17 Dec 2011 20:15:19 -0800 

Package: esmtp
Version: 1.2-4squeeze1
Severity: normal
Tags: patch


The package as shipped ensures that the configuration file is not a
symbolic link.  This is most likely unnecessary, as I don't believe
there is any security risk in reading from a symlink.

Changing 'lstat' to 'stat' on line 170 of parser.y fixes this.  I've
attached a patch.

I keep my configuration files in a version-controlled directory,
~/etc, and symlink them into ~/.  esmtp is the only package I use that
complains about this arrangement.

(This is the first bug I've reported to Debian.  Please let me know if
I've messed up somehow.)

-- System Information:
Debian Release: 6.0.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages esmtp depends on:
ii  debconf [debconf-2.0]         1.5.36.1   Debian configuration management sy
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libesmtp5                     1.0.4-5    LibESMTP SMTP client library

esmtp recommends no packages.

Versions of packages esmtp suggests:
pn  esmtp-run                     <none>     (no description available)
ii  procmail                      3.22-19    Versatile e-mail processor

-- debconf information:
  esmtp/mda: procmail
  esmtp/username:
  esmtp/overwriteconfig: false
  esmtp/hostname: localdomain
  esmtp/starttls: disabled
  esmtp/hostport: 25

*** /home/duncan/src/esmtp-1.2/debian/patches/allow-symlinked-config.patch
## Description: Permit configuration file to be a symbolic link
## Author: Duncan Smith <dun...@xrtc.net>
Index: esmtp-1.2/parser.y
===================================================================
--- esmtp-1.2.orig/parser.y     2011-12-17 19:53:01.000000000 -0800
+++ esmtp-1.2/parser.y  2011-12-17 19:52:50.000000000 -0800
@@ -167,11 +167,11 @@
         * process, it must have permissions no greater than 600, and it must
         * not be a symbolic link.  We check these conditions here. 
         */
-       if (lstat(pathname, &statbuf) < 0) {
+       if (stat(pathname, &statbuf) < 0) {
                if (errno == ENOENT) 
                        return 0;
                else {
-                       fprintf(stderr, "lstat: %s: %s\n", pathname, 
strerror(errno));
+                       fprintf(stderr, "stat: %s: %s\n", pathname, 
strerror(errno));
                        return -1;
                }
        }

Attachment: signature.asc
Description: Digital signature

Reply via email to