[Dovecot] Security issue #5: mail_extra_groups setting is often used insecurely
Timo Sirainen
tss at iki.fi
Tue Mar 4 11:40:05 EET 2008
On Mar 4, 2008, at 10:50 AM, Benoit Branciard wrote:
> Timo Sirainen a écrit :
>> mail_extra_groups=mail setting is often used insecurely to give
>> Dovecot
>> access to create dotlocks to /var/mail directory. If you don't use
>> mboxes in /var/mail, make sure this setting is cleared.
>> [...]
>> 2a) mbox: Any files/directories under mail group-writable directories
>> can be created/deleted/renamed by symlinking the directory under
>> ~/mail/. For example ln -s /var/mail ~/mail/var, DELETE var/root will
>> happily delete root's mailbox. This I hadn't thought about before.
>
> Not if /var/mail is set sticky, which is the case on all good modern
> Unix systems:
Right. That's why it was included in the workarounds. :)
Anyway I also thought that /var/mail would be sticky in at least some
systems. I couldn't find a single one. CentOS 5, Debian, FreeBSD 6.2,
Solaris 10 none have it sticky by default.
>> mail_privileged_group setting works by keeping the group in process's
>> saved GID while it's not in use and temporarily switching it to
>> effective GID while dotlocks are created. Currently this is done only
>> when:
>> 1. It's only done for INBOX mbox which doesn't exist under the same
>> location as other mailboxes (so typically under /var/mail).
>> 2. It's used only after initial dotlock creation try failed with
>> EACCES
>> error.
>
> Too bad... I found mail_extra_groups to be a very handy (and secure)
> way to handle Dovecot automatic index creation outside user's
> directory.
I didn't remove the setting, just renamed it to mail_access_groups.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20080304/d986e59c/attachment.bin
More information about the dovecot
mailing list