Package: gracie
Severity: serious
Version: 0.2.11-1
Tags: security

The gracie daemon runs with root privileges

The daemon is a HTTP server that is intended to listen for connections from the public internet. Therefore, it should not be root.

However, some of the pam functionality requires root privileges.

It seems appropriate to split the daemon into two processes, one with root privileges, the other with minimal privileges for acting as the HTTP server.

Alternatively, gracie could be modified to communicate over a socket with saslauthd or some other existing process that runs as root.



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to