-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add "aliases_wrapper" configuration parameter #1015
Add "aliases_wrapper" configuration parameter #1015
Conversation
This allows you to invoke the command from "sendmail_aliases" without using the wrapper (sympa-community#946).
Adding gettext_comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There no longer are nothing to review for me.
Hi, what is the status of this pull request? |
It is supposed to be ready for the next release.
Sorry I miss the clarity in your comment, please elaborate. |
Certainly. You wrote in the OP:
'sendmail_aliases' (default '/etc/mail/sympa/aliases') is the target file and not a command. Since this issue is referenced in the discussion about CVE-2020-26880, let's also note that this PR doesn't address that vulnerability, unless the 'sympa_newaliases-wrapper' file is also deleted. |
@ikedas : it seems Sylvain is waiting for an answer at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972114 This fix is still pending in debian, as far as I understand. (still 1 ignored security issue at https://tracker.debian.org/pkg/sympa) |
@mhow2 this issue is pretty much independent from CVE-2020-26880, see #1009 instead. |
Yes, in my opinion no part of Sympa should be run as another user. This would fix root escalation issues and it is feasible as far I can tell. But we need more documentation about configuring Sympa which each MTA and webserver to reach this goal. |
This allows you to invoke the command from "sendmail_aliases" without using the wrapper. This should fix #946 and should work for Exim and Postfix MTA in most cases.
Current default is to use the alias wrapper, but in the future we may change that default.