On Thu, Aug 28, 2003 at 06:50:18AM +0300, Timo Sirainen wrote:
On Thursday, Aug 28, 2003, at 06:05 Europe/Helsinki, Bob Hall wrote:
Let's say you have one server box and 20 users. Only the admins have accounts on the server box. Users can access mail only through the mail servier, via port 143. This involves three types of Unix accounts: root, human admins, and the non-human mail account that owns the mail files and runs mail scripts. Use sudo to give the admins the right to perform any necessary tasks that need the mail account, so that the mail account password doesn't get passed around.
- What are the security weaknesses?
With shared uids the problem is that if there's a security hole in Dovecot, attacker can access all the files that are owned by his uid. So different uids just provide operating system level security.
- How does having one UID differ from having one password that gives you access to all the UIDs in the database?
If you know the password, it doesn't differ. If you don't, but you could exploit security hole in Dovecot you then have access.
- How is this handled in settings with hundreds of users? Do they create hundreds of Unix accounts?
They don't have to have real accounts, just the uids have to be reserved for them. For example you could just decide that uids above 10000 are for virtual users in LDAP.
Since the UIDs don't correspond to actual system accounts, then I take it that there's no OS level security? So if you have a requirement for stringent security, you can't use large scale mail systems? Multidrop boxes must have the same weakness.
Bob