Oh sorry.
As wourkaround we allready changed the permission on that directory.
We are not affectied by this security problem, as we dont print the password
hash from authdaemon.
Thanks for help!
On 8/26/21 1:02 PM, Greg Wooledge wrote:
On Thu, Aug 26, 2021 at 10:21:55AM +0200, Philipp Ewald wrote:
Thank you for your advise!
i will add user to mail group and try again.
That is absolutely *not* what I advised. Ordinary users should not
be in the "mail" or "courier" group. Those groups are for mail
programs/daemons only. Putting a user in the mail group will (among
other things) allow that user to delete *other* users' mailboxes
from /var/mail/, if you keep them there.
drwxrwsr-x 2 root mail 4096 Jan 11 2018 /var/mail/
Your original plan (change the permissions on the /run subdirectory)
is better than that, even if it means your system is "vulnerable" to
the information disclosure that the change is trying to prevent. The
severity of this disclosure depends on what type of users you have on
your system. If it's just you, then there's nothing to worry about.
If you have multiple real human users on your system and feel that
keeping your password hashes a secret is a high priority, then you
should talk to the maildrop support people and see what *they* suggest.
--
Philipp Ewald
Administrator
DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de
AG Köln HRB 27711, St.-Nr. 5215 5811 0640
Geschäftsführer: Werner Grafenhain
Informationen zum Datenschutz: www.digionline.de/ds
