Package: courier Severity: normal As far as I can tell, all of the courier daemons run as user root. According to courier/doc/install.html:
"You should create a new userid and groupid named "courier". That's optional, but highly recommended. If this is not done, Courier will install as user/group daemon (or some other suitable user/group id). Only two of Courier's daemon processes run as a superuser (and one of them is perpetually waiting for a non-superuser daemon process to terminate, in order to restart it). Everything else runs as a non-superuser process. Ideally, you should reserve a separate user and group ID for Courier's use only, so a compromised mail system cannot be used to compromise the rest of the system. If push comes to shove, you can set up Courier to use a well-defined existing user and group ID, such as daemon." I am not sure what the standard is for Debian (I noticed the mail user and group, which seem appropriate, and which correspond to the ownership of /var/mail), but something other than root would seem appropriate. Charles -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (90, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.26-1um Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
