Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "aliases_wrapper" configuration parameter #1015

Merged
merged 3 commits into from
Nov 24, 2020
Merged

Add "aliases_wrapper" configuration parameter #1015

merged 3 commits into from
Nov 24, 2020

Conversation

racke
Copy link
Contributor

@racke racke commented Oct 12, 2020

This allows you to invoke the command from "sendmail_aliases" without using the wrapper. This should fix #946 and should work for Exim and Postfix MTA in most cases.

Current default is to use the alias wrapper, but in the future we may change that default.

@racke
Add "alias_wrapper" configuration parameter.
f21f076 
This allows you to invoke the command from "sendmail_aliases" without using the wrapper (sympa-community#946).
@racke racke added the security label Oct 12, 2020
@racke racke requested a review from ikedas October 12, 2020 10:24
ikedas
ikedas approved these changes Oct 22, 2020
View reviewed changes
Copy link
Member

@ikedas ikedas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There no longer are nothing to review for me.

@ikedas ikedas added this to the 6.2.60 milestone Oct 30, 2020
@Beuc
Copy link

Beuc commented Nov 5, 2020

Hi, what is the status of this pull request?
Minor precision for clarity, I believe the command referenced in OP is 'aliases_program', or 'sympa_newaliases.pl' (not 'sendmail_aliases').

@racke
Copy link
Contributor Author

racke commented Nov 5, 2020

Hi, what is the status of this pull request?

It is supposed to be ready for the next release.

Minor precision for clarity, I believe the command referenced in OP is 'aliases_program', or 'sympa_newaliases.pl' (not 'sendmail_aliases').

Sorry I miss the clarity in your comment, please elaborate.

@Beuc
Copy link

Beuc commented Nov 6, 2020

Minor precision for clarity, I believe the command referenced in OP is 'aliases_program', or 'sympa_newaliases.pl' (not 'sendmail_aliases').

Sorry I miss the clarity in your comment, please elaborate.

Certainly. You wrote in the OP:

This allows you to invoke the command from "sendmail_aliases" without using the wrapper. This should fix #946 and should work for Exim and Postfix MTA in most cases.

'sendmail_aliases' (default '/etc/mail/sympa/aliases') is the target file and not a command.
I think you meant 'aliases_program', or 'sympa_newaliases.pl'.

Since this issue is referenced in the discussion about CVE-2020-26880, let's also note that this PR doesn't address that vulnerability, unless the 'sympa_newaliases-wrapper' file is also deleted.

@racke racke changed the title Add "alias_wrapper" configuration parameter Add "aliases_wrapper" configuration parameter Nov 10, 2020
@racke racke mentioned this pull request Nov 10, 2020
Closed
@ikedas ikedas modified the milestone: 6.2.60 Nov 17, 2020
@ikedas ikedas merged commit a0a1299 into sympa-community:sympa-6.2 Nov 24, 2020
@ikedas ikedas mentioned this pull request Nov 24, 2020
Merged
ikedas added a commit that referenced this pull request Dec 1, 2020
@ikedas
Merge pull request #1040 from ikedas/racke/pr/alias-wrapper-option-94…
10ee7b4 
…6 by ikedas

Additional fix to #946 (#1015)
@mhow2
Copy link

mhow2 commented Jan 5, 2021

@ikedas : it seems Sylvain is waiting for an answer at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972114

This fix is still pending in debian, as far as I understand. (still 1 ignored security issue at https://tracker.debian.org/pkg/sympa)

@Beuc
Copy link

Beuc commented Jan 5, 2021

@mhow2 this issue is pretty much independent from CVE-2020-26880, see #1009 instead.
Also I added a comment at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972114#29 to clarify.

@racke
Copy link
Contributor Author

racke commented Jan 5, 2021

Yes, in my opinion no part of Sympa should be run as another user. This would fix root escalation issues and it is feasible as far I can tell. But we need more documentation about configuring Sympa which each MTA and webserver to reach this goal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikedas ikedas ikedas approved these changes

Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
6.2.60
Development

Successfully merging this pull request may close these issues.

Use alias wrapper only if it is really needed
4 participants
@racke @Beuc @mhow2 @ikedas