Package: courier-authdaemon Version: 0.58-3 Severity: critical Tags: security Justification: root security hole
Hi, The current courier-authdaemon package sets 755 permissions on the directory /var/run/courier/authdaemon which allows non-root users to connect to the authentication daemon. The upstream package sets the permissions to 750, preventing access to the authdaemon socket by non-root users not in the daemon group. I am reporting this as critical because it allows "access to root (or another privileged system account), or data normally accessible only by such accounts." The courier authdaemon was designed to be accessible only be root or members of the daemon group. It was not architected for global user access. The current permissions allow any user access to user information about courier mail accounts, including plaintext passwords if they are stored in the system. It also allows them to change passwords if they can guess the old password, and as far as I can tell there is no throtle to prevent dictionary attacks on mail user passwords (hence the necessity of restricted access). Charles -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (800, 'testing'), (70, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages courier-authdaemon depends on: ii courier-authlib 0.58-3 Courier authentication library courier-authdaemon recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
