Postfix vulnarebility wrongly reported by pkg audit?
David Benfell
benfell at parts-unknown.org
Sun May 10 09:08:27 UTC 2015
Quoting Marko Turk <markoml at markoturk.info>:
>
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).
If I understood correctly, the problem is with the ownership of
/var/db/postfix. But to be honest, I don't see how it's in fact a
vulnerability. The complaint is that the ownership is set to root
rather than postfix.
When I look at my instance, I see:
[benfell at home ~]% ls -ald /var/db/postfix
drwx------ 2 postfix wheel 512 Apr 16 01:07 /var/db/postfix
Now, I can see how root ownership might prevent postfix from working.
Not how it's a vulnerability. And it seems that at least on my
instance, it is correctly set, anyhow. So I'm just confused.
--
David Benfell <benfell at parts-unknown.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: PGP Digital Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150510/de598528/attachment.sig>
More information about the freebsd-questions
mailing list