[Dovecot] How to achieve proper privilege separation?

"Tóth Attila" atoth at atoth.sote.hu
Thu Feb 23 21:56:39 EET 2012 

In the mean time I've upgraded to 2.1.
I've enabled debug logging and logged in.

I suspect that hardening features can be blamed for my problem. After
booting a previous kernel the behavior was reverted.

Here is what I got. As I can make it out it uses the proper user for the
imap process according to the logs.

Thx:
Dw.

Feb 23 20:49:39 atoth dovecot: master: Dovecot v2.1.0 starting up (core
dumps disabled)
Feb 23 20:50:12 atoth dovecot: auth: Debug: Loading modules from
directory: /usr/lib/dovecot/auth
Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16584)
Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH     1      
PLAIN   service=imap    secured lip=127.0.0.1   rip=127.0.0.1   lport=143 
     rport=50264     resp=<hidden>
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug: Loading modules
from directory: /usr/lib/dovecot/auth
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK      1      
user=atoth
Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST  3337879553
     16584   1       0a36f4227122eb3d59466523e937b25b
Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER    3337879553
     atoth   system_groups_user=atoth        uid=1000        gid=100
home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16587, secured
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:12 atoth dovecot: imap(atoth): Disconnected: Logged out in=44
out=747
Feb 23 20:50:12 atoth dovecot: auth: Debug: auth client connected (pid=16588)
Feb 23 20:50:12 atoth dovecot: auth: Debug: client in: AUTH     1      
PLAIN   service=imap    secured lip=127.0.0.1   rip=127.0.0.1   lport=143 
     rport=50265     resp=<hidden>
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:12 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:12 atoth dovecot: auth: Debug: client out: OK      1      
user=atoth
Feb 23 20:50:12 atoth dovecot: auth: Debug: master in: REQUEST  401211393 
     16588   1       59b6d569049f955f31991ac3cfb1f54c
Feb 23 20:50:12 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:12 atoth dovecot: auth: Debug: master out: USER    401211393 
     atoth   system_groups_user=atoth        uid=1000        gid=100
home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16589, secured
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:12 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:14 atoth dovecot: imap(atoth): Disconnected: Logged out
in=42671 out=174898
Feb 23 20:50:14 atoth dovecot: auth: Debug: auth client connected (pid=16600)
Feb 23 20:50:14 atoth dovecot: auth: Debug: client in: AUTH     1      
PLAIN   service=imap    secured lip=127.0.0.1   rip=127.0.0.1   lport=143 
     rport=50276     resp=<hidden>
Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): lookup service=imap
Feb 23 20:50:14 atoth dovecot: auth-worker(16586): Debug:
pam(atoth,127.0.0.1): #1/1 style=1 msg=Password:
Feb 23 20:50:14 atoth dovecot: auth: Debug: client out: OK      1      
user=atoth
Feb 23 20:50:14 atoth dovecot: auth: Debug: master in: REQUEST  3933732865
     16600   1       8382f23ff412178311e55bf74162e4cd
Feb 23 20:50:14 atoth dovecot: auth: Debug: passwd(atoth,127.0.0.1): lookup
Feb 23 20:50:14 atoth dovecot: auth: Debug: master out: USER    3933732865
     atoth   system_groups_user=atoth        uid=1000        gid=100
home=/home/atoth
Feb 23 20:50:14 atoth dovecot: imap-login: Login: user=<atoth>,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=16601, secured
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Effective uid=1000,
gid=100, home=/home/atoth
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: Namespace inbox:
type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes,
subscriptions=yes location=mbox:~/mail/:INBOX=/var/spool/mail/atoth
Feb 23 20:50:14 atoth dovecot: imap(atoth): Debug: fs:
root=/home/atoth/mail, index=, control=, inbox=/var/spool/mail/atoth, alt=
Feb 23 20:50:14 atoth dovecot: imap(atoth): Disconnected: Logged out
in=405 out=9240

-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 23.(Cs) 09:15 időpontban Timo Sirainen ezt írta:
> On Thu, 2012-02-23 at 09:03 +0100, "Tóth Attila" wrote:
>> Unfortunately I can see, that in my case /usr/libexec/dovecot/imap
>> accesses both the inbox and the mail directories of the user as root.
>> Moreover, it creates the lock file as root. I can see no process running
>> as the user.
>>
>> How could I teach dovecot to start the imap process as the user. What
>> configuration options I should blame?
>
> Well, that's strange. There shouldn't be any way for you to make imap
> access mails as root, even if you wanted to do that. If you log in as
> root, it'll fail with:
>
> Error: user root: Invalid settings in userdb: userdb returned 0 as uid
> Fatal: Invalid user settings. Refer to server log for more information.
>
> If there's a bug and it just somehow manages to get through that check,
> it fails with:
>
> Fatal: We couldn't drop root privileges
>
> So.. I'm not really sure what could be wrong. It makes me think maybe
> Gentoo's hardening features somehow mess this up, but I can't really
> think of how that could either.
>
> Set auth_debug=yes and mail_debug=yes. What does it log when logging in?
>
>

More information about the dovecot mailing list