Create a malicious directory
Use scripts to create some malicious directories. Here is my creation process. How can I prevent the creation of these directories? I used the python imapclient script to create a directory.
There may be no big threat to dovecot, but it is dangerous for doveadm.
How is that dangerous? If you pipe output from a directory listing to *any* command you need to sanitize it.
That's normal if you have data that can be created by a user. The issue is known since the very beginning of Linux
First, you might want to control access to who is allowed to use your server, your email and dovecot. If they are malicious, maybe you want to disallow their access.
Second, you might want to make sure that dovecot and doveadm, do not have permissions to run programs outside of a few that are needed. Perhaps put them in a chroot jail?
Or install a stronger kernel security module. Some disallow things by roles, some disallow things by labels and some by path. You can also set a file to be append only, so delete won't work on it (see chattr(1)).
There are quite a few ways to add more security, but such issues are complex and well beyond the scope of this list. If you are concerned with security, and don't know how to configure it, consider disallowing all access to your server, except for yourself.
*cheers*
On 2019/05/19 21:22, lty via dovecot wrote:
Use scripts to create some malicious directories. Here is my creation process. How can I prevent the creation of these directories? I used the python imapclient script to create a directory.
There may be no big threat to dovecot, but it is dangerous for doveadm.
On 2019/05/19 18:22, hfh via dovecot wrote:
Directory name have some malicious characters, is it safe?How can I exclude some characters,thanks!大笑
Realistically, nothing is 100% safe unless it is stored in 100ft of concrete and buried where no one can find it. Safety and usability are ever at odds with one another.
participants (4)
-
@lbutlr
-
L A Walsh
-
lty
-
Reto