Package: gracie
Severity: serious
Version: 0.2.11-1
Tags: security
The gracie daemon runs with root privileges
The daemon is a HTTP server that is intended to listen for connections
from the public internet. Therefore, it should not be root.
However, some of the pam functionality requires root privileges.
It seems appropriate to split the daemon into two processes, one with
root privileges, the other with minimal privileges for acting as the
HTTP server.
Alternatively, gracie could be modified to communicate over a socket
with saslauthd or some other existing process that runs as root.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org