On Sat, 2 Dec 2017 14:39:00 -0500 Simon Deziel <si...@sdeziel.info> wrote: > Please find attached a patch that: > > * Removes world read access to /etc/msmtprc and chgrp to "mail". > * Installs the msmtp binary as setgid and owned by "root:mail".
Seth Arnold from the Ubuntu security team quickly reviewed my patch and found a blatant problem. Here's the IRC log sarnold: sdeziel: hrm, not sure I love that patch :/ ... normally most tools aren't written robustly enough to be setgid sarnold: sdeziel: if a user config file asks to log to something writable by group mail, what happens? ... sarnold: a dedicated group would definitely be safer So when I'll have more time, I'll propose an updated patch that creates a dedicated group to use with setgid. Regards, Simon
