[Dovecot] mail accounts for users without home dirs
Bob Hall
rjhjr at cox.net
Thu Aug 28 10:01:42 EEST 2003
On Thu, Aug 28, 2003 at 06:50:18AM +0300, Timo Sirainen wrote:
> On Thursday, Aug 28, 2003, at 06:05 Europe/Helsinki, Bob Hall wrote:
>
> >Let's say you have one server box and 20 users. Only the admins have
> >accounts on the server box. Users can access mail only through the
> >mail servier, via port 143. This involves three types of Unix accounts:
> >root, human admins, and the non-human mail account that owns the
> >mail files and runs mail scripts. Use sudo to give the admins the
> >right to perform any necessary tasks that need the mail account, so
> >that the mail account password doesn't get passed around.
> >1) What are the security weaknesses?
>
> With shared uids the problem is that if there's a security hole in
> Dovecot, attacker can access all the files that are owned by his uid.
> So different uids just provide operating system level security.
>
> >2) How does having one UID differ from having one password that gives
> >you
> > access to all the UIDs in the database?
>
> If you know the password, it doesn't differ. If you don't, but you
> could exploit security hole in Dovecot you then have access.
>
> >3) How is this handled in settings with hundreds of users? Do they
> > create hundreds of Unix accounts?
>
> They don't have to have real accounts, just the uids have to be
> reserved for them. For example you could just decide that uids above
> 10000 are for virtual users in LDAP.
Since the UIDs don't correspond to actual system accounts, then I
take it that there's no OS level security? So if you have a
requirement for stringent security, you can't use large scale mail
systems? Multidrop boxes must have the same weakness.
Bob
More information about the dovecot
mailing list