On Sat, May 11, 2019 at 5:15 AM Seth Arnold <1820...@bugs.launchpad.net> wrote: > > Eduardo is taking a look at this package for the security team and > pointed out that it is doing a setuid to user 'nobody'. > > This isn't a safe design. User nobody is strictly for NFS's use and must > not be used by any running processes on the system.
Thanks a lot for pointing this out Seth and Eduardo! We need to get in touch with upstream to find out the real reasons behind some of them as I'm afraid blindly trying to fix things won't be good either. @Seth - I have added setuid use and the non-NFS nobody to the entries in [1] to be catched earlier in the MIR process if possible. [1]: https://wiki.ubuntu.com/MIRTeam#Upstream_red_flags -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820212 Title: [MIR] python-aiosmtpd as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-aiosmtpd/+bug/1820212/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
