Subject: Security problem with pkgsrc/mail/majordomo
To: <>
From: Paul Hoffman <>
List: tech-pkg
Date: 03/03/2000 18:26:28
The REQ script for the majordomo package says:

>         echo "Creating '$MAJORDOMO_USER' user ..."
>         echo Done.

Note that the call to addnerd doesn't set a password or a shell. When I 
installed earlier today, I noticed that it had added an unpassworded user 
with a shell of /bin/sh. Of course, the addnerd command should also have 
'-s /sbin/nologin'.

On a related note, how does one find who is responsible for a particular 
package? It doesn't appear in the README.html in pkgsrc/mail/majordomo. 
Thus, I don't know which person to report this to. (I hope someone from 
either of these lists will take care of it...).