secure setup for imap hibernation

Aki Tuomi aki.tuomi at dovecot.fi
Fri Oct 27 12:44:07 EEST 2017



On 27.10.2017 12:32, Arkadiusz Miśkiewicz wrote:
> On Friday 27 of October 2017, Aki Tuomi wrote:
>> On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
>>> Hi.
>>>
>>> What's the approach for securely enabling imap hibernation in case when
>>> each user uses different uid and gid?
>>>
>>> Looks like none and 0666 on hibernation and imap master sockets is the
>>> only way?
>>>
>>> Thanks,
>> That's the only way, yes. Hibernation keeps all connections in same
>> process.
> Couldn't dovecot do setgroups(2) to add additional common group to 
> imap/hibernation processes and rely on that for access to sockets (sockets 
> would be root:thatgroup 0660) thus making it a bit more secure?
>
> Non mail related uids/gids wouldn't have access to sockets that way.
>
>> Aki

It could. But at the moment it's not, pull request to do this is always
welcome. It would also need some way to choose correct socket.

Aki


More information about the dovecot mailing list