Bug 114945 - [request] Protect mail/ssmtp configuration files
Summary: [request] Protect mail/ssmtp configuration files
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Greg Larkin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-26 16:20 UTC by Ernst de Haan
Modified: 2008-11-19 21:30 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ernst de Haan freebsd_committer freebsd_triage 2007-07-26 16:20:02 UTC 
mail/ssmtp is a minimalistic tool that allows sending of e-mail from the host it is installed on, using the SMTP services provided by another host.

The following would -in my opinion- be a normal situation:
1. the SMTP service requires SSL;
2. the SMTP service requires authentication;
3. the authentication details are considered confidential.

This is hard to accomplish with the current mail/ssmtp port, since the /usr/local/etc/ssmtp.conf file is world-readable. This is required, since the ssmtp binary runs as the current user.

Hereby I request a solution is implemented for this. I propose the following:
1. During installation, add a user 'ssmtp' with no home directory, password and shell
2. Protect the /usr/local/etc/ssmtp/ directory by setting owner=ssmtp, group=wheel and permissions=rwxr-x---, so outside wheel nobody can read the files.
3. Make the 'ssmtp' executable owned by the user 'ssmtp' and mark it SUID.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-07-26 16:20:28 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->clement

Over to maintainer
Comment 2 Clement Laforet freebsd_committer freebsd_triage 2008-09-02 08:42:01 UTC 
Responsible Changed
From-To: clement->freebsd-ports-bugs

I dopped maintainership.
Comment 3 Greg Larkin freebsd_committer freebsd_triage 2008-09-11 19:55:20 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->glarkin

I'll take it.
Comment 4 dfilter service freebsd_committer freebsd_triage 2008-11-19 21:23:58 UTC 
glarkin     2008-11-19 21:23:49 UTC

  FreeBSD ports repository

  Modified files:
    .                    GIDs 
    mail/ssmtp           Makefile pkg-descr 
    mail/ssmtp/files     patch-ssmtp.c 
  Added files:
    mail/ssmtp/files     patch-base64.c patch-ssmtp.h 
                         pkg-deinstall.in pkg-install.in 
                         pkg-message.in 
  Removed files:
    mail/ssmtp           pkg-message 
  Log:
  - Take maintainership
  - Various Makefile cleanups
  - Added protection for config files, including group creation/
    deletion
  - Incorporated patches from http://bugs.debian.org/ssmtp to fix
    compiler warnings
  
  PR:             ports/114945
  Submitted by:   znerd
  Reviewed by:    stas
  
  Revision  Changes    Path
  1.65      +2 -1      ports/GIDs
  1.26      +22 -9     ports/mail/ssmtp/Makefile
  1.1       +20 -0     ports/mail/ssmtp/files/patch-base64.c (new)
  1.3       +511 -10   ports/mail/ssmtp/files/patch-ssmtp.c
  1.1       +10 -0     ports/mail/ssmtp/files/patch-ssmtp.h (new)
  1.1       +21 -0     ports/mail/ssmtp/files/pkg-deinstall.in (new)
  1.1       +33 -0     ports/mail/ssmtp/files/pkg-install.in (new)
  1.1       +8 -0      ports/mail/ssmtp/files/pkg-message.in (new)
  1.4       +8 -7      ports/mail/ssmtp/pkg-descr
  1.3       +0 -5      ports/mail/ssmtp/pkg-message (dead)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 5 Greg Larkin freebsd_committer freebsd_triage 2008-11-19 21:24:12 UTC 
State Changed
From-To: open->closed

Closed with modifications, thanks!