From owner-freebsd-questions@FreeBSD.ORG Sun May 10 09:08:27 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2DBA9955 for ; Sun, 10 May 2015 09:08:27 +0000 (UTC) Received: from mail.parts-unknown.org (mail.parts-unknown.org [IPv6:2001:470:67:119::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1629A1444 for ; Sun, 10 May 2015 09:08:26 +0000 (UTC) Received: by mail.parts-unknown.org (Postfix, from userid 80) id 7FA52B340956; Sun, 10 May 2015 02:08:19 -0700 (PDT) Received: from mail.parts-unknown.org (mail.parts-unknown.org [2001:470:67:119::4]) by mail.parts-unknown.org (Horde Framework) with HTTP; Sun, 10 May 2015 02:08:19 -0700 Date: Sun, 10 May 2015 02:08:19 -0700 Message-ID: <20150510020819.Horde.eC28WWwjJ0tJo9WbqQ-sno0@mail.parts-unknown.org> From: David Benfell To: freebsd-questions@freebsd.org Subject: Re: Postfix vulnarebility wrongly reported by pkg audit? In-Reply-To: <20150510080130.GC2534@vps.markoturk.info> User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_7lquv8cp-bqlJsnmoM7iZmT"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 May 2015 09:08:27 -0000 This message is in MIME format and has been PGP signed. --=_7lquv8cp-bqlJsnmoM7iZmT Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Marko Turk : > > today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit > tool. But, when I go to the web pages the tool outputs it says that my > version of postfix is not vulnerable (and that this vulnerabilities are > from 2011). If I understood correctly, the problem is with the ownership of=20=20 /var/db/postfix.=20But to be honest, I don't see how it's in fact a=20=20 vulnerability.=20The complaint is that the ownership is set to root=20=20 rather=20than postfix. When I look at my instance, I see: [benfell@home ~]% ls -ald /var/db/postfix drwx------ 2 postfix wheel 512 Apr 16 01:07 /var/db/postfix Now, I can see how root ownership might prevent postfix from working.=20=20 Not=20how it's a vulnerability. And it seems that at least on my=20=20 instance,=20it is correctly set, anyhow. So I'm just confused. --=20 David=20Benfell --=_7lquv8cp-bqlJsnmoM7iZmT Content-Type: application/pgp-signature Content-Description: PGP Digital Signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVTyADAAoJEBV64x4SNmArdc0QAIWA0TWKb+HNinWilqB1zK8E cCFLsNJljL5tQKYxNtlhlKTfy+vaVaCwsuLxIwGkTV7kPsSH8TCSNcMV2iZvpHe7 dQpt6G7J3kc0OqVR25HW9dnrlcmvZi7WvN9xzmc5zRbF6OxGGNRu4q8nOLhib7ui 7+6H5TOI/lngum0JbyamU/1GKGlMNNmizIK8rJMmpfq2lN8Z5ctpnJRb0OY9F2c3 nR32f77YZlnviKxO9e5rYpE3bLXgYP51qiKWuKtBYo1HYaxkrGiQhbAqJd8qA590 EODvsy66v8AYDobACpY1eFQK0t3F+HhNt/WhyBgsU2IOoqedAJb7b5O4JvTNXmBg Ou8nCHgsWnG/CcKrFR5lbPcJap0gRWrXyfXl2m+QGRKYUrL1plQUHiaDcAyMwTBo Eq2SCAga+Zq0OTwnlZa2M9lc2lLp12Up9BnyfxmobbbrOwRnIcOu4iZiZSdaaeeR tcYBWW/6nGxw7kuyE/QT8rOVKcNCx8K9JJ65FN7qaN+NZAYn4pKGvSinKSc/nYVZ ConUxF2OSgXfxDEIlpVZzsF4KOf+p6EGZaD6xs0Z0+Vn2bNrxTi1p01CHtOizWGS fzg6dBCOS3QnqFJACmQr5XhqwNVgUNEfSty5SO6CSncd+dPNDRhP0lffSbPzPW7s JsO18XKrIOUQGP4o9n7m =OBfD -----END PGP SIGNATURE----- --=_7lquv8cp-bqlJsnmoM7iZmT--