[Dovecot] Security issue #5: mail_extra_groups setting is often used insecurely
Karsten Bräckelmann
guenther at rudersport.de
Tue Mar 4 20:26:20 EET 2008
On Tue, 2008-03-04 at 08:35 +0200, Timo Sirainen wrote:
> mail_extra_groups=mail setting is often used insecurely to give Dovecot
> access to create dotlocks to /var/mail directory. If you don't use
> mboxes in /var/mail, make sure this setting is cleared.
>
> If you do use /var/mail mboxes and Dovecot gives permission errors
> without it, do one of the following (in the preferred order):
Yup, still using /var/mail mboxes. A fact I didn't get around to change
yet.
> a) Upgrade to v1.0.11 and use the new mail_privileged_group setting
> instead of mail_extra_groups.
Just did so on my personal, local IMAP server, and now I get these:
# tail -n 1 /var/log/mail/errors
Mar 4 19:13:32 delta dovecot: IMAP(guenther): open(/var/spool/mail/.temp.delta.32268.d6ed77a67d018ba9) failed: Permission denied
# ls -ld /var/mail /var/spool/mail
lrwxrwxrwx 1 root root 10 Mar 27 2007 /var/mail -> spool/mail/
drwxrwsr-t 2 root mail 1024 Mar 4 19:17 /var/spool/mail/
> b) Make /var/mail sticky and world-writable (chmod 01777 /var/mail) and
> clear mail_extra_groups setting.
Yeah, 'chmod o+w /var/spool/mail' worked around the permission errors
for now. But this shouldn't be necessary, right?
guenther
--
char *t="\10pse\0r\0dtu\0. at ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
More information about the dovecot
mailing list