[Dovecot] Questions about mail process chroots
Brett Smith
bsmith at brettcsmith.org
Wed Sep 22 05:21:18 EEST 2004
Greetings,
I am configuring a new Dovecot installation, and the way the
valid_chroot_dirs and mail_chroot variables affect the mail processes are a
bit unclear to me. I was wondering if anyone could provide me with more
specific details than the comments in the configuration file do, or maybe
even recommend some values given my configuration.
We have a Debian GNU/Linux system and a mix of users with shell accounts
and users with disabled logins. Both these groups should be handled the
same way by Dovecot: auth_userdb is passwd and auth_passdb is pam. The
dovecot PAM service will use pam_mysql.so, if that matters.
Mail is in mbox format (we have too many sticklers who are set in their
ways, unfortunately); I'm thinking default_mail_env should be
mbox:~/Mail/:INBOX=/var/mail/%u.
So, if I understand correctly, (a) I should set chroots on the mail
processes, since some of our users don't have real shell accounts, and (b)
those processes will need access to /var/mail and home directories under
/home.
So my best guess is that I should set the chroot variables like this:
valid_chroot_dirs = /var/mail:/home
mail_chroot = /var/mail
I'm not sure about this though, for a number of reasons.
Do I need to even chroot at all, or do I misunderstand the comments?
If I do need to chroot, the comments about valid_chroot_dirs warn very
strongly that the chroot dirs should not be writeable by users. /home
itself isn't writeable by users, but obviously their home directories are.
Is listing /home also vulnerable to exploits? If it is, what would a good
solution be?
What's the meaning of /./ in mail_chroot? The comments about it,
unfortunately, make no sense at all to me. It says that /home/./user is
the same as /home, but if that's completely true, why wouldn't I just say
mail_chroot = /home? I even looked into the source and it still wasn't
really clear to me.
Thanks in advance for any help you can offer,
--
-- Brett Smith
More information about the dovecot
mailing list