Timo Sirainen wrote:
This and other documentation seems to suggest that the 'dovecot' user ID shouldn't be reused as the auth_user setting.
The point is more about making sure that the untrusted login process can't go directly poking into trusted processes. ... I want to keep login processes in as restricted sandbox as possible.
OK. Something that would be helpful would be a block diagram or table of the various Dovecot processes showing their purpose and privilege. Something like:
process: dovecot user: root purpose: parent process/master daemon
process: imap-login user: <login_user> [typically 'dovecot'] purpose: handles network interaction for login
process: dovecot-auth user: <auth_user> [typically 'root'] purpose: communicates with user and password databases
process: imap-login user: <login_user> [typically 'dovecot'] purpose: handles network interaction for login
process: imap user: (obtained from the user database) purpose: implements the IMAP protocol; interacts with the user's mailboxes
etc.
Which raises the question, how restrictive can permissions be on those configuration files? Are they read by Dovecot while root? Or will they be read by the authentication process while running as auth_user? I see my dovecot-mysql.conf is world readable. Oops. Probably not a good thing, given it contains a MySQL password in clear text.
Looks like currently the config files are read as auth_user. I changed them now to be read before dropping privileges.
Ah...I better tweak my permissions then. I had switched the MySQL config file to be readable only by root, and hadn't noticed any problems, but that's because my dovecot-auth hasn't been restarted since the change.
You might want to put a security check into the code somewhere for that, in the same way it is common for MTAs to check on the permissions of files they depend on.
Hmm. I guess it could be useful.
It could always be relegated to an external script if you'd prefer not to muddy up the code. Though that might require some duplication of effort, such as parsing the config files.
BTW. I'm pretty lazy at updating documentation. ...I wouldn't have minded if you had just changed them directly in Wiki :)
I considered that. After all, that's the point of using a Wiki. Though I figured it'd be a bit more polite to put the ideas out there for discussion before making the changes.
BTW, I have a Dovecot-MySQL howto about half done. I'll finish it up once I'm done with a Postfix project and have time to get back to it.
-Tom