Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is world readable - possible password exposure.
This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available for everyone since dovecot.conf has world readable permissions.
(In CVE's description is note that it RHEL's/Fedora's problem, but it affects all systems imo)
We was thinking about few ways how to fix it:
0640 permissions for dovecot.conf - but it can became not readable for dovecot
0640 root:mail and set deliver to group mail with sgid - possible security problem
don't store passphrase in dovecot.conf, just ask for it when dovecot's started - can hang boot process, not good
As part of investigating, I've found dovecot is storing all variables in environment variables - it means even passphrase? I'm not completely sure, but all variables can be read via /proc/<pid>/environ (I don't know if it becomes readable in some circumstances.)
Is there any plan to solve this problem?
Cheers,
Michal