on 7-24-2008 1:18 AM Dan Horák spake the following:
Hi,
I have a little problem with defining the right permissions for dovecot.conf. The main problem is that the password for SSL certificates is stored there and the conf file is world readable by default, which makes a security problem [1]. It is not a problem to restrict the permissions to 0600, dovecot will still work, but then deliver cannot work as it reads the conf too, but it runs under arbitrary user. So my last iteration is 0640 as permission and root:mail as ownership, but that expects that deliver is run with group = mail. For the long term solution I would prefer to move the password into a separate config file so the permissions can be properly restricted there. What are your opinions?
With regards, Dan
[1] https://bugzilla.redhat.com/show_bug.cgi?id=436287 You can always have no passwords on ssl certs. Probably just as secure as a world readable password.
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!