Bug#850813: exim4-config: dc_postmaster resets to user created at installation time for every postinst
Jan Ingvoldstad
jani at viking.vikingmud.org
Tue Jan 10 10:52:54 UTC 2017
Package: exim4-config
Version: 4.80-7+deb7u4
Severity: important
This problem appears to be present in all packaged versions of exim4 in Debian since a long time ago, due to:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421424
The solution chosen here is regretfully bad.
When the user created at installation time is removed, and someone edits /etc/aliases to remove the forward of root to that user, that works well for a while, until exim4 gets updated, postinst is run, and the deleted user is inserted again.
This also poses a potential information leak vulnerability, since another user may later be created with the same name as the user created at installation time, with no relation whatsoever to the original user.
It's taken me years to track down this issue, because I couldn't find any documentation stating that this would happen, nor for any way to remove it. The deleted user just magically reappears in /etc/aliases at apparently arbitrary times for all systems running Debian.
dpkg-reconfigure exim4-config does not provide any information about this, nor does it revert the change.
Please revert the "fix" in bug 421424 as soon as humanly possible, and release it as a security fix for exim4/exim4-config.
A better way of solving the problem "fixed" in bug 421424, would be to explicitly set dc_postmaster in /etc/exim4/update-exim4.conf.conf *AND* prompt for it in dpkg-reconfigure debconf, with a *default* of the first user *IFF* the first user exists. If not, prompt or leave blank.
Package-specific info included, although it's pretty much irrelevant:
-- Package-specific info:
Exim version 4.80 #2 built 24-Dec-2016 13:30:51
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 7.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=nb_NO.ISO_8859-1 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages exim4-config depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
exim4-config recommends no packages.
exim4-config suggests no packages.
-- Configuration Files:
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt changed [not included]
/etc/exim4/conf.d/acl/40_exim4-config_check_data changed [not included]
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions changed [not included]
/etc/exim4/conf.d/retry/30_exim4-config changed [not included]
/etc/exim4/conf.d/router/600_exim4-config_userforward changed [not included]
/etc/exim4/conf.d/router/700_exim4-config_procmail changed [not included]
/etc/exim4/conf.d/router/800_exim4-config_maildrop changed [not included]
/etc/exim4/conf.d/router/900_exim4-config_local_user changed [not included]
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp changed [not included]
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost changed [not included]
/etc/exim4/passwd.client [Errno 13] Permission denied: u'/etc/exim4/passwd.client'
-- debconf information excluded
More information about the Pkg-exim4-maintainers
mailing list