Bug#795459: exim4: Security problem: cannot symlink client.passwd to secure storage
Juergen Pfennig
info at j-pfennig.de
Fri Aug 14 07:58:13 UTC 2015
Package: exim4
Version: 4.84-8
Severity: normal
Dear Maintainer,
- might be an upstream issue
* I would like to store passwd.client in an encrypted folder.
* Cannot use hard-links to different fs, sym-links are silently ignored
* by exim.
* As a result I get a security problem because I cannot use a secure,
* encrypted folder to store the passwords.
Did somebody try to do something good by blocking symlinks? Anyhow, you
end up with an insecure configuration (clear text passwords in unsecure
storage).
Thanks
Jürgen
-- Package-specific info:
Exim version 4.84 #3 built 17-Feb-2015 17:45:49
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.56
ii exim4-base 4.84-8
ii exim4-daemon-light 4.84-8
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information excluded
More information about the Pkg-exim4-maintainers
mailing list