Bug 962988 - ssmtp.conf is world readble which is a security risk when using a password authentication
Summary: ssmtp.conf is world readble which is a security risk when using a password au...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: ssmtp
Version: el6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: manuel wolfshant
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-14 22:02 UTC by Jérôme Loyet
Modified: 2014-01-12 19:19 UTC (History)
1 user (show)

Fixed In Version: ssmtp-2.61-21.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-04 00:52:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 661954 0 None None None Never

Description Jérôme Loyet 2013-05-14 22:02:42 UTC
Description of problem:
In order to have ssmtp working for every user on the machine, the file /etc/ssmtp/ssmtp.conf must be readable by every user (others must at least have the read right to this file).

If an authentication smtp server is used (as gmail for example), the login and password appears in clear text in ssmtp.conf. This is obviously a security problem.

Version-Release number of selected component (if applicable):
2.61-19.el6

How reproducible:
root# su - test
test# cat /etc/ssmtp/ssmtp.conf
root=prout
mailhub=smtp.gmail.com:587
AuthUser=someuser
AuthPass=xxxxxxxxxxxxxxx
UseSTARTTLS=YES
RewriteDomain=test.com
FromLineOverride=YES

root# chmod o-rwx /etc/ssmtp/ssmtp.conf
root# su - test
test# date | mail -s test test
send-mail: Cannot open mailhub:25
root@ tail /var/log/maillog
May 14 23:00:00 xxx sSMTP[2511]: /etc/ssmtp/ssmtp.conf not found
May 14 23:00:00 xxx sSMTP[2511]: Unable to locate mailhub
May 14 23:00:00 xxx sSMTP[2511]: Cannot open mailhub:25

Additional info:
The solution as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661954

root# chown -R root:mail /etc/ssmtp/ 
root# chmod -R u=rwX,g=rX,o= /etc/ssmtp
root# chown root:mail /usr/sbin/ssmtp
root# chmod g+s /usr/sbin/ssmtp

Comment 1 Fedora Update System 2013-06-05 08:58:37 UTC
ssmtp-2.61-20.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/ssmtp-2.61-20.el5

Comment 2 Fedora Update System 2013-06-05 08:58:47 UTC
ssmtp-2.61-20.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/ssmtp-2.61-20.el6

Comment 3 Fedora Update System 2013-06-05 09:00:32 UTC
ssmtp-2.61-20.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ssmtp-2.61-20.fc17

Comment 4 Fedora Update System 2013-06-06 01:34:38 UTC
Package ssmtp-2.61-20.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ssmtp-2.61-20.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-10128/ssmtp-2.61-20.fc17
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-06-06 14:10:11 UTC
ssmtp-2.64-7.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ssmtp-2.64-7.fc18

Comment 6 Fedora Update System 2013-06-08 20:56:25 UTC
ssmtp-2.64-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ssmtp-2.64-7.fc19

Comment 7 Fedora Update System 2013-07-04 00:52:21 UTC
ssmtp-2.64-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-07-04 01:00:09 UTC
ssmtp-2.64-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-07-04 01:02:03 UTC
ssmtp-2.61-20.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2013-08-20 09:13:13 UTC
ssmtp-2.61-21.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/ssmtp-2.61-21.el5

Comment 11 Fedora Update System 2013-08-20 09:13:33 UTC
ssmtp-2.64-9.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ssmtp-2.64-9.fc19

Comment 12 Fedora Update System 2013-08-20 09:13:47 UTC
ssmtp-2.64-9.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ssmtp-2.64-9.fc18

Comment 13 Fedora Update System 2013-08-20 09:14:03 UTC
ssmtp-2.61-21.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/ssmtp-2.61-21.el6

Comment 14 Fedora Update System 2013-08-30 22:58:54 UTC
ssmtp-2.64-9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-08-30 23:00:21 UTC
ssmtp-2.64-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-01-12 19:19:01 UTC
ssmtp-2.61-21.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2014-01-12 19:19:57 UTC
ssmtp-2.61-21.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.