Bug#476576: [dkimproxy] dkimproxy run as user root and not as user dkimproxy, also the home dir of user dkimproxy is posible wrong location, unsafe secret key permission

[Thomas Goirand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have sent an update of the debian package here:

ftp://ftp.gplhost.com/debian/dists/etch/main/source/dkimproxy_1.0.1-5.dsc

and my usual sponsor has been noticed about it. It should be uploaded
very soon.

Thomas

Falk Hackenberger wrote:
> Package: dkimproxy
> Version: 1.0.1-1
> Severity: serious
> Tags: security
> X-Debbugs-CC: [EMAIL PROTECTED]
> 
> --- Please enter the report below this line. ---
> 
> dkimproxy runs as user root, but it dos not need the rigths of the user
> root, to fix this change /etc/init.d/dkimproxy:
> 
> 30,31c30,31
> < DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} 127.0.0.1:10026
> 127.0.0.1:10027"
> < DKIMPROXY_OUT_ARGS="--keyfile=${DKIMPROXY_OUT_PRIVKEY}
> --selector=postfix --domain=${DOMAIN} --method=simple --signature=dkim
> --signature domainkeys 127.0.0.1:10028 127.0.0.1:10029"
> ---
>> DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} 127.0.0.1:10026
> 127.0.0.1:10027 --user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}"
>> DKIMPROXY_OUT_ARGS="--keyfile=${DKIMPROXY_OUT_PRIVKEY}
> --selector=postfix --domain=${DOMAIN} --method=simple --signature=dkim
> --signature domainkeys 127.0.0.1:10028 127.0.0.1:10029
> --user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}"
> 
> also the home dir of the user dkimproxy is
> /home/dkimproxy but I think it should be /var/lib/dkimproxy
> 
> the permission of the secret key file are also unsafe,
> the are:
> -rw-r--r-- 1 root root 887 17. Apr 19:22 /var/lib/dkimproxy/private.key
> the should be imho:
> -rw-r----- 1 root dkimproxy 887 17. Apr 19:22
> /var/lib/dkimproxy/private.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFICOaFl4M9yZjvmkkRAvrIAJ4/j3KpEOzV5QZxFcFw56HyGWzQ4QCfTyIU
2Ahx4br6rhwBFp2xNW+TyXY=
=Og1K
-----END PGP SIGNATURE-----



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]