Hi,
as the currently maintainer of courier [0], I'd like some advice from
more experienced DDs.
I'm currently considering to drop the binary package courier-webadmin
from the packaged courier suite due to security concerns. This is a CGI
binary allowing web based configuration of the Courier MTA. To modify
the configuration and restart the server(s), it needs to be setuid root.
Security measures in place:
* the package warns about risks with setuid binaries and the user
explicitly needs to enable the feature (it simply doesn't work if the
user denies though - rendering the installation of the package
pointless)
* the setuid binary is a tiny (72 lines) C program that drops
permissions and invokes a Perl script
* the Perl script by default only serves requests that are either
originating from the local host *or* which are SSL encrypted
Concerns:
* to save changes, the C wrapper does not drop permissions, but invokes
the Perl script directly with root rights.
* a reverse proxy happily forwards HTTP requests appearing as local to
the CGI script, thus potentially circumventing this barrier.
* the user normally used is the same that runs the MTA or IMAP server,
i.e. user 'courier'. Meaning even in dropped privileges mode, the
Perl script has all the rights the MTA or IMAP server have.
* the password is stored and transported in plain text
* the password gets stored in plain text in a cookie on the
user's browser
* lack of any audit traces of who changed what or when
* upstream's INSTALL reads: "This is not Fort Knox, and webadmin is not
going to be publicly accessible, so the only needed security is to
keep everyone out except for authorized IP addresses."
This is inspired by discussions with a disappointed user providing
valuable feedback (in combination with somewhat less valuable feedback
and in English sentences I have a hard time to understand) [2], [3].
If I'm going to drop this binary package, is a warning in NEWS enough
(in courier-base, a dependency), or shall I better provide an empty shim
package that actually removes the setuid binary (when upgraded)?
I've clearly neglected this package for too long already and have
requested an RFH as well [1]. And yes, this left some users unhappy and
they are rightfully frustrated. Dropping support for courier-webadmin
might not help that, either. And wastes all the effort of previous
maintainers. However, I clearly don't feel comfortable maintaining
*that* part of courier.
Thoughs? Comments? Recommendations?
Best Regards
Markus
[0]: https://tracker.debian.org/pkg/courier
[1]: RFH: courier bug: https://bugs.debian.org/978755
[2]: https://salsa.debian.org/debian/courier/-/merge_requests/9
[3]: https://bugs.debian.org/341205
