Bug#880222: marked as done (courier-imap: couriertcpd running as root while listening on port 143)

Tue, 31 Oct 2017 04:00:29 -0700 

Your message dated Tue, 31 Oct 2017 11:51:02 +0100
with message-id <c25156f1-51ea-3bfe-5bad-a01fafc80...@bluegap.ch>
and subject line Re: Bug#880222: courier-imap: couriertcpd running as root 
while listening on port 143
has caused the Debian Bug report #880222,
regarding courier-imap: couriertcpd running as root while listening on port 143
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
880222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880222
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: courier-imap
Version: 4.17.2+0.76.3-5
Severity: grave
Tags: security
Justification: user security hole

Dear Marcus,

couriertcpd runs as root instead of the courier user for IMAP connections. 
I've not found (nor looked for) any exploit, but I think running as root while 
listening on a network socket is a security risk of its own.

Please have a look here: 
https://sourceforge.net/p/courier/mailman/message/36096805/

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (990, 'stable'), (600, 'unstable'), (400, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages courier-imap depends on:
ii  courier-authlib                     0.66.4-9
ii  courier-base                        0.76.3-5
ii  courier-mta [mail-transport-agent]  0.76.3-5
ii  debconf [debconf-2.0]               1.5.61
ii  init-system-helpers                 1.48
ii  libc6                               2.24-11+deb9u1
ii  libcourier-unicode1                 1.4-3+b1
ii  libgamin0 [libfam0]                 0.1.10-5+b1
ii  libgdbm3                            1.8.3-14
ii  libidn11                            1.33-1
ii  sysvinit-utils                      2.88dsf-59.9

courier-imap recommends no packages.

Versions of packages courier-imap suggests:
ii  courier-doc  0.76.3-5
pn  imap-client  <none>

-- Configuration Files:
/etc/courier/imapd changed:
ADDRESS=0
PORT=143
MAXDAEMONS=120
MAXPERIP=200
PIDFILE=/run/courier/imapd.pid
TCPDOPTS="-nodnslookup -noidentlookup"
IMAPACCESSFILE=/etc/courier/imapaccess
LOGGEROPTS="-name=imapd"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE 
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 
AUTH=CRAM-SHA256 IDLE"
IMAP_PROXY=0
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_MAILBOX_SANITY_CHECK=1
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=131072
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/etc/courier/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/sbin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=YES
MAILDIRPATH=Maildir

/etc/courier/imapd-ssl changed:
SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/run/courier/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_CIPHER_LIST="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA"
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_DHPARAMS=/etc/courier/dhparams.pem
TLS_TRUSTCERTS=/etc/ssl/cert.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

/etc/courier/imapd.cnf [Errno 13] Permission denied: '/etc/courier/imapd.cnf'

-- no debconf information

--- End Message ---
--- Begin Message --- 
Control: tags -1 +wontfix
Control: notfound -1 0.76.3-5

On 10/30/2017 07:19 PM, Lucio Crusca wrote:
> couriertcpd runs as root instead of the courier user for IMAP
> connections.
> I've not found (nor looked for) any exploit, but I think running as
> root while listening on a network socket is a security risk of its
> own.

The first 1024 ports are privileged and reserved for the root user, so
only root can open them. Most services drop privileges after that.

On 10/31/2017 07:19 AM, Lucio Crusca wrote:
> Il 30/10/2017 22:59, Sam Varshavchik ha scritto:
>> The process UIDs are correct. The IMAP server runs as root until it
>> logs in.
>
> @Marcus: then please close as invalid the bug report I filed about it.

Please take more care before filing such an issue. This causes only
unneeded work.

Kind Regards

Markus Wanner

--- End Message ---

Reply via email to