If someone has root they can just read the email storage files, no password needed.
We are discussing Dovecot with encrypted mail storage here.
If someone has root, and dovecot has no code showing passwords in logs, the attacker can build THEIR OWN version of dovecot that "key-logs" all passwords to a remote server WITHOUT displaying passwords in the logs.
Please compare the time needed to: get in, enable debug logging, read the log file with: get in, enable debug logging, realize it's not working (some will stop here), consider your options, build THEIR OWN version of dovecot that "key-logs" all passwords to a remote server WITHOUT displaying passwords in the logs?
This is what people mean when they say if someone has root you have bigger problems then dovecot logging.
I generally agree but only if the mail storage is unencrypted. With encrypted storage I can think of many scenarios: corrupt law enforcement, malicious freelance admin, social engineering tricks etc etc etc when attackers will have not enough time/expertise to grab your passwords.
On 2022-10-11 18:16, dovecot@ptld.com wrote:
Yeah, it's such an obvious vulnerability, I'm kinda surprised most people here don't see an issue with that.
What people are trying to explain is the scenario you describe requires an attacker to have root privileges on the target server. If someone has root access to a server then your fears are moot and the suggestion to remove code logging passwords offers zero protection.
If someone has root they can just read the email storage files, no password needed.
If someone has root, and dovecot has no code showing passwords in logs, the attacker can build THEIR OWN version of dovecot that "key-logs" all passwords to a remote server WITHOUT displaying passwords in the logs.
This is what people mean when they say if someone has root you have bigger problems then dovecot logging.