by redmail.netbsd.org with SMTP; 4 Mar 2000 02:18:59 -0000
	by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA14212;
	Fri, 3 Mar 2000 18:18:36 -0800 (PST)
Message-Id: <4.3.2.20000303181056.00dcc9d0@>
Date: Fri, 03 Mar 2000 18:19:12 -0800
To: tech-security@netbsd.org, tech-package@netbsd.or
From: Paul Hoffman <phoffman@proper.com>
Subject: Security problem with pkgsrc/mail/majordomo
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

The REQ script for the majordomo package says:

>         echo "Creating '$MAJORDOMO_USER' user ..."
>         ${ADDNERD} -h ${HOME} -g ${MAJORDOMO_GROUP} ${MAJORDOMO_USER}
>         echo Done.

Note that the call to addnerd doesn't set a password or a shell. When I 
installed earlier today, I noticed that it had added an unpassworded user 
with a shell of /bin/sh. Of course, the addnerd command should also have 
'-s /sbin/nologin'.

On a related note, how does one find who is responsible for a particular 
package? It doesn't appear in the README.html in pkgsrc/mail/majordomo. 
Thus, I don't know which person to report this to. (I hope someone from 
either of these lists will take care of it...).