[Dovecot] auth_user setting

Tom Metro tmetro+dovecot at vl.com
Sun Aug 29 08:01:22 EEST 2004 

Timo Sirainen wrote:
>> This and other documentation seems to suggest that the 'dovecot' user 
>> ID shouldn't be reused as the auth_user setting.
> 
> The point is more about making sure that the untrusted login process 
> can't go directly poking into trusted processes.
> ... I want to keep login processes in as restricted sandbox as 
> possible.

OK. Something that would be helpful would be a block diagram or table of 
the various Dovecot processes showing their purpose and privilege. 
Something like:

process: dovecot
user: root
purpose: parent process/master daemon

process: imap-login
user: <login_user> [typically 'dovecot']
purpose: handles network interaction for login

process: dovecot-auth
user: <auth_user> [typically 'root']
purpose: communicates with user and password databases

process: imap-login
user: <login_user> [typically 'dovecot']
purpose: handles network interaction for login

process: imap
user: (obtained from the user database)
purpose: implements the IMAP protocol; interacts with the user's mailboxes

etc.


>> Which raises the question, how restrictive can permissions be on those 
>> configuration files? Are they read by Dovecot while root? Or will they 
>> be read by the authentication process while running as auth_user?
>> I see my dovecot-mysql.conf is world readable. Oops. Probably not a 
>> good thing, given it contains a MySQL password in clear text. 
> 
> Looks like currently the config files are read as auth_user. I changed 
> them now to be read before dropping privileges.

Ah...I better tweak my permissions then. I had switched the MySQL config 
file to be readable only by root, and hadn't noticed any problems, but 
that's because my dovecot-auth hasn't been restarted since the change.


>> You might want to put a security check into the code somewhere for that, 
>> in the same way it is common for MTAs to check on the permissions of 
>> files they depend on.
> 
> Hmm. I guess it could be useful.

It could always be relegated to an external script if you'd prefer not 
to muddy up the code. Though that might require some duplication of 
effort, such as parsing the config files.


> BTW. I'm pretty lazy at updating documentation. ...I wouldn't have 
> minded if you had just changed them directly in Wiki :)

I considered that. After all, that's the point of using a Wiki. Though I 
figured it'd be a bit more polite to put the ideas out there for 
discussion before making the changes.

BTW, I have a Dovecot-MySQL howto about half done. I'll finish it up 
once I'm done with a Postfix project and have time to get back to it.

  -Tom

More information about the dovecot mailing list