Subject: Re: Security problem with pkgsrc/mail/majordomo
To: None <phoffman@proper.com>
From: Brook Milligan <brook@biology.nmsu.edu>
List: tech-pkg
Date: 03/04/2000 10:35:44
   The REQ script for the majordomo package says:

   >         echo "Creating '$MAJORDOMO_USER' user ..."
   >         ${ADDNERD} -h ${HOME} -g ${MAJORDOMO_GROUP} ${MAJORDOMO_USER}
   >         echo Done.

   Note that the call to addnerd doesn't set a password or a shell. When I 
   installed earlier today, I noticed that it had added an unpassworded user 
   with a shell of /bin/sh. Of course, the addnerd command should also have 
   '-s /sbin/nologin'.

Presumably, you are suggesting additions to the addnerd command.
Perhaps a quick discussion of the options is appropriate.  I see the
following possibilities:

1.  -s /sbin/nologin; no -p option or -p *; warn that the user may wish
     to change this via vipw/passwd

2.  -s $MAJORDOMO_SHELL (default /bin/sh); -p *; similar warning

Any comments on which is preferable or ideas on other options?

   On a related note, how does one find who is responsible for a particular 
   package? It doesn't appear in the README.html in pkgsrc/mail/majordomo. 
   Thus, I don't know which person to report this to. (I hope someone from 
   either of these lists will take care of it...).

That's me.  Sorry, I'm a bit behind on email just now.

Cheers,
Brook