Bug#285989: marked as done (exim4-config: Creates world-readable config file)
Debian Bug Tracking System
owner@bugs.debian.org
Thu, 16 Dec 2004 13:48:30 -0800
Your message dated Thu, 16 Dec 2004 16:36:26 -0500
with message-id <20041216213626.GB27320@www.lobefin.net>
and subject line Bug#285989: exim4-config: Creates world-readable config file
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Dec 2004 19:08:00 +0000
>From steve@lobefin.net Thu Dec 16 11:08:00 2004
Return-path: <steve@lobefin.net>
Received: from mail.lobefin.net [216.158.52.98] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cf0ym-0006zG-00; Thu, 16 Dec 2004 11:08:00 -0800
Received: from lobefin.net ([216.158.52.108] helo=gashuffer.lobefin.net)
by mail.lobefin.net with asmtp (TLS-1.0:RSA_ARCFOUR_SHA:16)
(Exim 4.34)
id 1Cf0yl-0002Fe-MQ; Thu, 16 Dec 2004 14:07:59 -0500
Received: from steve by gashuffer.lobefin.net with local (Exim 4.34)
id 1Cf0yl-0001r9-2T; Thu, 16 Dec 2004 14:07:59 -0500
Date: Thu, 16 Dec 2004 14:07:59 -0500
From: Stephen Gran <sgran@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exim4-config: Creates world-readable config file
Message-ID: <20041216190759.GA7119@gashuffer.lobefin.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline
X-Reportbug-Version: 3.4
X-Editor: VIM - Vi IMproved 6.3
X-OS: Linux gashuffer 2.6.8-1-686-smp i686
X-Uptime: 8 days
X-Latin: Hodie decimo septimo Kalendas Ianuarias MMDCCLVIII ab urbe condita est
X-Date: Today is Setting Orange, the 58th day of The Aftermath in the YOLD 3170
X-DDate: Only 2431256 Shopping Days Left Before X-Day. This statement is false.
X-Motto: debian/rules
User-Agent: Mutt/1.5.6+20040907i
X-Authenticated-Sender: steve
X-Scanned-By: ClamAV at mail.lobefin.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: exim4-config
Version: 4.34-9
Severity: normal
-rw-r--r-- 1 root Debian-exim 10783 2004-12-11 12:58 config.autogenerated
That seems less than ideal, especially given that things like sql
passwords can be stored in it. Since upstream has the hide option for
things just like that, it seems that they also do not encourage this
file to be world-readable.
Thanks,
-- Package-specific info:
Exim version 4.34 #1 built 07-Dec-2004 13:59:38
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch n=
is nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
dc_eximconfig_configtype=3D'smarthost'
dc_other_hostnames=3D''
dc_local_interfaces=3D'127.0.0.1'
dc_readhost=3D''
dc_relay_domains=3D''
dc_minimaldns=3D'false'
dc_relay_nets=3D''
dc_smarthost=3D'mail.lobefin.net'
CFILEMODE=3D'644'
dc_use_split_config=3D'true'
dc_hide_mailname=3D'false'
mailname:gashuffer.lobefin.net
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686-smp
Locale: LANG=3DC, LC_CTYPE=3Den_US.ISO-8859-15 (charmap=3DISO-8859-15) (ign=
ored: LC_ALL set to en_US.ISO-8859-15)
Versions of packages exim4-config depends on:
ii adduser 3.59 Add and remove users and groups
ii debconf [debconf-2.0] 1.4.41 Debian configuration managemen=
t sy
ii passwd 1:4.0.3-30.4 Change and administer password=
and
-- debconf information:
* exim4/dc_smarthost: mail.lobefin.net
* exim4/dc_relay_domains:
exim4/exim3_upgrade: true
* exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP=
or fetchmail
exim4/dc_readhost:
exim4/exim4-config-title:
exim4/dc_noalias_regenerate: false
* exim4/dc_relay_nets:
* exim4/mailname: gashuffer.lobefin.net
* exim4/dc_local_interfaces: 127.0.0.1
* exim4/dc_minimaldns: false
* exim4/dc_other_hostnames:
exim4/no_config: true
* exim4/hide_mailname: false
* exim4/dc_postmaster: steve@lobefin.net
* exim4/use_split_config: true
--=20
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBwd0OSYIMHOpZA44RAkL4AJwP10CVGMCasJcPUUK3Nu4YNbZPJwCZAT46
my8LLXcdchRvk5d5O27r5Pg=
=iKmc
-----END PGP SIGNATURE-----
--OgqxwSJOaUobr8KG--
---------------------------------------
Received: (at 285989-done) by bugs.debian.org; 16 Dec 2004 21:36:29 +0000
>From steve@lobefin.net Thu Dec 16 13:36:28 2004
Return-path: <steve@lobefin.net>
Received: from mail.lobefin.net [216.158.52.98] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cf3IS-00032J-00; Thu, 16 Dec 2004 13:36:28 -0800
Received: from lobefin.net ([216.158.52.108] ident=Debian-exim)
by mail.lobefin.net with asmtp (TLS-1.0:RSA_ARCFOUR_SHA:16)
(Exim 4.34)
id 1Cf3IR-0002oy-K1; Thu, 16 Dec 2004 16:36:27 -0500
Received: from steve by lobefin.net with local (Exim 4.34)
id 1Cf3IQ-0007uv-Vl; Thu, 16 Dec 2004 16:36:26 -0500
Date: Thu, 16 Dec 2004 16:36:26 -0500
From: Stephen Gran <sgran@debian.org>
To: Andreas Metzler <ametzler@downhill.at.eu.org>
Cc: 285989-done@bugs.debian.org
Subject: Re: Bug#285989: exim4-config: Creates world-readable config file
Message-ID: <20041216213626.GB27320@www.lobefin.net>
References: <20041216190759.GA7119@gashuffer.lobefin.net> <20041216193603.GK17667@downhill.at.eu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="CUfgB8w4ZwR/yMy5"
Content-Disposition: inline
In-Reply-To: <20041216193603.GK17667@downhill.at.eu.org>
User-Agent: Mutt/1.3.28i
X-Editor: VIM - Vi IMproved 6.1
X-OS: Linux hadrian 2.4.26-2-686-smp i686
X-Uptime: 64 days
X-Latin: Hodie decimo septimo Kalendas Ianuarias MMDCCLVIII ab urbe condita est
X-Date: Today is Setting Orange, the 58th day of The Aftermath in the YOLD 3170
X-DDate: Only 2431256 Shopping Days Left Before X-Day. You are what you see.
X-Motto: debian/rules
Sender: Stephen Gran <steve@lobefin.net>
X-Authenticated-Sender: steve
X-Scanned-By: ClamAV at mail.lobefin.net
Delivered-To: 285989-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--CUfgB8w4ZwR/yMy5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
This one time, at band camp, Andreas Metzler said:
> On 2004-12-16 Stephen Gran <sgran@debian.org> wrote:
> > Package: exim4-config
> > Version: 4.34-9
> > Severity: normal
>=20
> > -rw-r--r-- 1 root Debian-exim 10783 2004-12-11 12:58 config.autogenera=
ted
>=20
> > That seems less than ideal, especially given that things like sql
> > passwords can be stored in it. Since upstream has the hide option for
> > things just like that, it seems that they also do not encourage this
> > file to be world-readable.
> [...]
>=20
> Upstream has the file globally readable by default. Otherwise
> nice stuff like exim4 -bt won't work as unpriliveged user. We are
> careful to not keep passwords in it by default and offer the
> possibility to change it.
>=20
> update-exim4.conf(8)
> NOTES
> update-exim4.conf changes the file permissions of the output
> file to the value of the environment variable CFILEMODE, if
> CFILEMODE is set neither in
> /etc/exim4/update-exim4.conf.conf nor in the environment it
> defaults to 0644. Change this to 0640 if you???re keeping
> sensible information (LDAP credentials et. al.) in there.
Damn - I missed that one when I was going over the whole setup this
afternoon. Sorry about that. I can set it in
/etc/exim4/update-exim4.conf.conf (what a name :). So long as the
option exists, I am happy and consider the ug closed.
> This predates the possibility of keeping unsplit config, I can improve
> this a little by making config.autogenerated 0640 if
> /etc/exim4/exim4.conf.template is not worlreadable and unsplit config
> is chosen.
If upstream goes with world readable by default, then I think the
documented method is cleanest - an admin sets it explicitly instead of
by implication.
Thanks, and closing this. Sorry for the chatter.
--=20
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
--CUfgB8w4ZwR/yMy5
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBwf/aSYIMHOpZA44RAmJ3AKDIAKySVW6H9Lhq+anTWCQEE2qjmACfUW4J
XBCOL9a65iaUx8K5jU2eOEA=
=DWW1
-----END PGP SIGNATURE-----
--CUfgB8w4ZwR/yMy5--