thr3ads.net - Secure testing team - [Secure-testing-team] Bug#476576: [dkimproxy] dkimproxy run as user root and not as user dkimproxy, also the home dir of user dkimproxy is posible wrong location, unsafe secret key permission [Apr 2008]

If this information is useful, please help other people find it:
Share via:

Falk Hackenberger

2008-Apr-17 17:36 UTC

[Secure-testing-team] Bug#476576: [dkimproxy] dkimproxy run as user root and not as user dkimproxy, also the home dir of user dkimproxy is posible wrong location, unsafe secret key permission

Package: dkimproxy
Version: 1.0.1-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

dkimproxy runs as user root, but it dos not need the rigths of the user 
root, to fix this change /etc/init.d/dkimproxy:

30,31c30,31
< DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} 127.0.0.1:10026 
127.0.0.1:10027"
< DKIMPROXY_OUT_ARGS="--keyfile=${DKIMPROXY_OUT_PRIVKEY} 
--selector=postfix --domain=${DOMAIN} --method=simple --signature=dkim 
--signature domainkeys 127.0.0.1:10028 127.0.0.1:10029"
---
 > DKIMPROXY_IN_ARGS="--hostname=${DKIM_HOSTNAME} 127.0.0.1:10026 
127.0.0.1:10027 --user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}"
 > DKIMPROXY_OUT_ARGS="--keyfile=${DKIMPROXY_OUT_PRIVKEY} 
--selector=postfix --domain=${DOMAIN} --method=simple --signature=dkim 
--signature domainkeys 127.0.0.1:10028 127.0.0.1:10029 
--user=${DKIMPROXYUSER} --group=${DKIMPROXYGROUP}"

also the home dir of the user dkimproxy is
/home/dkimproxy but I think it should be /var/lib/dkimproxy

the permission of the secret key file are also unsafe,
the are:
-rw-r--r-- 1 root root 887 17. Apr 19:22 /var/lib/dkimproxy/private.key
the should be imho:
-rw-r----- 1 root dkimproxy 887 17. Apr 19:22 /var/lib/dkimproxy/private.key

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.24.4-1

Debian Release: lenny/sid
   500 testing         www.debian-multimedia.org
   500 testing         security.debian.org
   500 testing         ftp.de.debian.org
   500 stable          security.debian.org

--- Package information. ---
Depends                      (Version) | Installed
======================================-+-=============adduser                   
| 3.107
liberror-perl                          | 0.17-1
libmail-dkim-perl            (>= 0.29) | 0.30.1-1
libnet-server-perl                     | 0.97-1
libtext-wrapper-perl                   | 1.000-2
lsb-base                               | 3.1-24
openssl                                | 0.9.8g-8
perl                     (>= 5.6.0-16) | 5.8.8-12

Secure testing team - Apr 2008 - Bug#476576: [dkimproxy] dkimproxy run as user root and not as user dkimproxy, also the home dir of user dkimproxy is posible wrong location, unsafe secret key permission

[Secure-testing-team] Bug#476576: [dkimproxy] dkimproxy run as user root and not as user dkimproxy, also the home dir of user dkimproxy is posible wrong location, unsafe secret key permission