Pascal Volk wrote:
Am 09.01.2008 21:43 schrieb Asheesh Laroia:
Not in the way I was describing:
Let's say some person logs on to your Dovecot-based IMAP service and figures out how to take over Dovecot to read and modify arbitrary files on the system. (Timo, I hope this doesn't happen - but bear with me.) To be clear, Dovecot's imap handler runs as the UNIX UID associated with the user logging in, not root.
if there's a bug in dovecot that allows this, then there will also be bugs that give the whole server to the attacker...
In the virtual user setup that the thread starter described, the user shares his UNIX UID with the other virtual users on the system. So he has UNIX permission to read and write other users' mail.
This will be only the case, if you have a poorâ„¢ setup.
poor? come on!
If the setup is done right, each imap/pop user will have it's on UID. And therefor each imap/pop process will run with the UID from the user.
using different uids means that the delivery agent needs some privilege to write to the mailboxes. In general, this is achieved by making the MDA suid.
and since we are talking about possible bugs, what do you think are the consequences of potential bugs in the MDA if it is suid?
Note that using different uids with virtual users don't bring much. one needs to make sure there is no uid collision with unix users (which means you must make sure adduser doesn't create an account with a uid used by a virtual mailbox). the only thing it brings is that the uid has no "name" and can't login.
I have found that a single uid/gid have many benefits. for example, the same uid is used to retrain spamassassin.