Package: ssmtp Version: 2.64-4 Severity: important ssmtp is world readable upon fresh install. This issue seems to be the same as bug #500454 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500454 back in 2009 however it should have been fixed. Either it wasn't (in which case, the bug report needs to be reopened i'd imagine) or the permissions have been altered to be world readable again.
-rw-r--r-- 1 root root 577 Mar 2 22:59 /etc/ssmtp/ssmtp.conf The solution posted in #500454 sounds sufficient. I'll just quote it here for handiness -- Please consider fixing this. Example methods: Add an ssmtp group, change the ownership and permissions of /etc/ssmtp/* to root:ssmtp 0640 or 0660, and make ssmtp/sendmail root:ssmtp and setgid so that when run by a user, it runs as group ssmtp and gets permission to read the file; the user won't ever have permission to read. You could also use the existing "mail" group, if appropriate. You could also do this using setuid to root or a ssmtp user, but this is unnecessary and has potential security implications that a simple setgid change would not. This won't require any code changes; it's simply an ownership/permissions tweak. -- -- System Information: Debian Release: 6.0.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ssmtp depends on: ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr ssmtp recommends no packages. ssmtp suggests no packages. -- debconf information excluded
