Package: courier-imap Version: 4.17.2+0.76.3-5 Severity: grave Tags: security Justification: user security hole
Dear Marcus, couriertcpd runs as root instead of the courier user for IMAP connections. I've not found (nor looked for) any exploit, but I think running as root while listening on a network socket is a security risk of its own. Please have a look here: https://sourceforge.net/p/courier/mailman/message/36096805/ -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (990, 'stable'), (600, 'unstable'), (400, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages courier-imap depends on: ii courier-authlib 0.66.4-9 ii courier-base 0.76.3-5 ii courier-mta [mail-transport-agent] 0.76.3-5 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u1 ii libcourier-unicode1 1.4-3+b1 ii libgamin0 [libfam0] 0.1.10-5+b1 ii libgdbm3 1.8.3-14 ii libidn11 1.33-1 ii sysvinit-utils 2.88dsf-59.9 courier-imap recommends no packages. Versions of packages courier-imap suggests: ii courier-doc 0.76.3-5 pn imap-client <none> -- Configuration Files: /etc/courier/imapd changed: ADDRESS=0 PORT=143 MAXDAEMONS=120 MAXPERIP=200 PIDFILE=/run/courier/imapd.pid TCPDOPTS="-nodnslookup -noidentlookup" IMAPACCESSFILE=/etc/courier/imapaccess LOGGEROPTS="-name=imapd" IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" IMAP_KEYWORDS=1 IMAP_ACL=1 IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE" IMAP_PROXY=0 IMAP_PROXY_FOREIGN=0 IMAP_IDLE_TIMEOUT=60 IMAP_MAILBOX_SANITY_CHECK=1 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" IMAP_DISABLETHREADSORT=0 IMAP_CHECK_ALL_FOLDERS=0 IMAP_OBSOLETE_CLIENT=0 IMAP_UMASK=022 IMAP_ULIMITD=131072 IMAP_USELOCKS=1 IMAP_SHAREDINDEXFILE=/etc/courier/shared/index IMAP_ENHANCEDIDLE=0 IMAP_TRASHFOLDERNAME=Trash IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender IMAPDSTART=YES MAILDIRPATH=Maildir /etc/courier/imapd-ssl changed: SSLPORT=993 SSLADDRESS=0 SSLPIDFILE=/run/courier/imapd-ssl.pid SSLLOGGEROPTS="-name=imapd-ssl" IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=0 COURIERTLS=/usr/bin/couriertls TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA" TLS_CERTFILE=/etc/courier/imapd.pem TLS_DHPARAMS=/etc/courier/dhparams.pem TLS_TRUSTCERTS=/etc/ssl/cert.pem TLS_VERIFYPEER=NONE TLS_CACHEFILE=/var/lib/courier/couriersslcache TLS_CACHESIZE=524288 MAILDIRPATH=Maildir /etc/courier/imapd.cnf [Errno 13] Permission denied: '/etc/courier/imapd.cnf' -- no debconf information
