On Tue, 2009-12-29 at 15:04 +0600, Denis Khromov wrote:
/usr/local/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See http://wiki.dovecot.org/LDA#multipleuids .. I think this error message should go to log files, not just to stdout/stderr.
But that could be too late.. Someone could create a mydovecot.conf that says log_path = /etc/passwd and run deliver -c mydovecot.conf and mess up the passwd file by having it log the above message to it, or something similar to that.
What could be possible is to also log it to syslog, but not everyone is using syslog and with the default mail facility. Seems like that could also cause trouble.
And it's worth to describe this behaviour in the Wiki.
Well, it only affects those people who upgrade from old version and actually have deliver set up as setuid-root. I don't think there are that many of those left. :)