Your message dated Mon, 16 Mar 2015 09:39:10 +0100
with message-id <20150316083909.gw7...@torres.zugschlus.de>
and subject line Re: Bug#780575: exim4-config: information disclosure issue
has caused the Debian Bug report #780575,
regarding exim4-config: information disclosure issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780575
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: exim4-config
Version: 4.80-7+deb7u1
Severity: grave
Tags: security
Justification: user security hole
Hi folks,
suppose you have set up an exim4 which provides virtual mailing, managing
domains/accounts in a DB, say mysql.
Just adding mysql queries and DB-*authentication data* to the exim4 templates
(both single file or split files configuration) will result in information
disclosure of all virtual mail users/passwords to users which have either shell
access, or can run scripts on the webserver (cgi, php, $whatever) or have any
other means to access these paths:
* /etc/exim4/exim4.conf.template
* /etc/conf.d/
* /var/lib/exim4/config.autogenerated
I strongly suggest to change modes of
* /etc/exim4
* /var/lib/exim4
to o-rwx.
Thanks
Daniel
-- Package-specific info:
Exim version 4.80 #2 built 24-Jul-2014 03:28:02
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500,
'proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages exim4-config depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
exim4-config recommends no packages.
exim4-config suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On Mon, Mar 16, 2015 at 09:10:02AM +0100, Daniel Reichelt wrote:
> suppose you have set up an exim4 which provides virtual mailing, managing
> domains/accounts in a DB, say mysql.
This means that you have made significant changes to exim's default
configuration.
> Just adding mysql queries and DB-*authentication data* to the exim4 templates
> (both single file or split files configuration) will result in information
> disclosure of all virtual mail users/passwords to users which have either
> shell
> access, or can run scripts on the webserver (cgi, php, $whatever) or have any
> other means to access these paths:
>
> * /etc/exim4/exim4.conf.template
> * /etc/conf.d/
> * /var/lib/exim4/config.autogenerated
If this happens, this means that your significant changes to exim's
default configuration didn't go all the way.
> I strongly suggest to change modes of
>
> * /etc/exim4
> * /var/lib/exim4
>
> to o-rwx.
Feel free to do that on your local system. Doing this change in the
package means that people will work as root unneccessarily because
they cannot use shell expansion and other read-only operations as a
normal user.
The security risk you are mentioning does -not- apply to the package
itself, it is created by local admin error.
See also the CFILEMODE option in update-exim4.conf.conf as documented
in update-exim4.conf.conf(5).
For the future, please refrain from reporting non-bugs with an RC
severity at this time of the release.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600420
--- End Message ---
