On 7/30/2013 8:37 PM, Ben Morrow wrote:
At 3PM -0700 on 30/07/13 you (Joseph Tam) wrote:
Martin Burgraf writes:
And when it's running as root there is always the danger of privilege escalation. LDA only runs when it's needed and since it uses only user rights it shoudbe more harmless.
I didn't contest the privilege separation aspect, as it a necessary design trade-off that one daemon doing things for all user will need overriding access. However, if this is a concern, you can virtualize all your users. LMTP can theoretically be subverted, but at least won't be as root. (I'm assuming LMTP stays as root, and not spawning off user processes to do the real work.)
It doesn't stay as root; Dovecot's LMTP switches down to the user's uid to perform delivery, including sieve scripts. The security concerns are in fact very similar to LDA: for LDA delivery with (say) Postfix, you have local(8) running as root and switching down to the user to invoke the LDA, while for LMTP the Postfix lmtp(8) process runs as an unprivileged Postfix user and the LMTP server runs as root and switches down.
AFAICS the LMTP conversation itself happens as root, though, which is a shame; I might think twice about exposing it directly over the network.
Shouldn't a few iptables/pf rules be able to substantially mitigate this potential problem? I.e. restrict which hosts a given host is allowed to speak LMTP with.
-- Stan