[Dovecot] Dovecot "deliver" with multiple UIDs (security question)
Hi all,
I have a question related to using the Dovecot LDA (deliver) with a multiple UID setup as described on the http://wiki.dovecot.org/LDA page in the "Multiple UIDs" section.
I run Postfix (virtual mailboxes) + Dovecot using multiple UIDs (one UID per virtual domain owner). I configured Postfix to use Dovecot Deliver for the virtual transport. To overcome the problem of multiple UIDs I used the solution described on the http://wiki.dovecot.org/LDA page in the "Multiple UIDs" section. I used the "sudo" solution as described on the page. I only call the deliver with sudo from inside Postfix and the sudoer user is only allowed to sudo on the deliver binary.
My question is: Is this solution secure? Can It be used on a production environment? What exactly happens in the background from the time I call "deliver" with sudo, to the time the delivery is finished?
The configuration works. The emails get delivered but I am concerned about the security of this setup :(.
Thank you,
Buzai Andras
On Sat, 2010-07-10 at 12:30 +0300, Buzai Andras wrote:
I only call the deliver with sudo from inside Postfix and the sudoer user is only allowed to sudo on the deliver binary.
My question is: Is this solution secure? Can It be used on a production environment? What exactly happens in the background from the time I call "deliver" with sudo, to the time the delivery is finished?
deliver starts as root, does userdb lookup, drops privileges and then all is ok.
The main problem is that while deliver is running as root at startup, it can be told to do bad things. Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell).
With v2.0 you could use LMTP without these kind of problems.
Hi,
My master.cf Postfix file contains the following entry for this:
dovecot unix - n n - - pipe flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo /usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
When you say that: * "Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell)."*,
do you refer to the postfix user or to the user specified in the master.cffile ( *mysudoeruser* in my case)? In my configuration the user "mysudoeruser" is a dedicated user only for this action and it is not allowed to login, etc ...
So basically for somebody to gain root access it should compromise the "mysudoeruser" dedicated user, right?
Would you use this setup in a production environment? :)
Thank you,
Buzai Andras
On Sun, Jul 11, 2010 at 9:58 PM, Timo Sirainen <tss@iki.fi> wrote:
On Sat, 2010-07-10 at 12:30 +0300, Buzai Andras wrote:
I only call the deliver with sudo from inside Postfix and the sudoer user is only allowed to sudo on the deliver binary.
My question is: Is this solution secure? Can It be used on a production environment? What exactly happens in the background from the time I call "deliver" with sudo, to the time the delivery is finished?
deliver starts as root, does userdb lookup, drops privileges and then all is ok.
The main problem is that while deliver is running as root at startup, it can be told to do bad things. Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell).
With v2.0 you could use LMTP without these kind of problems.
On Mon, 2010-07-12 at 00:09 +0300, Buzai Andras wrote:
dovecot unix - n n - - pipe flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo /usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
When you say that: * "Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell)."*,
do you refer to the postfix user or to the user specified in the master.cffile ( *mysudoeruser* in my case)?
mysudoeruser (that's who you gave sudo access, right?)
In my configuration the user "mysudoeruser" is a dedicated user only for this action and it is not allowed to login, etc ...
So basically for somebody to gain root access it should compromise the "mysudoeruser" dedicated user, right?
Yeah.
Would you use this setup in a production environment? :)
I guess it's not too bad. But I'd switch to LMTP once you've upgraded to Dovecot v2.0.
Hi,
Thank you for your answers :). When should I expect the final (production ready) release of Dovecot 2 (an approximate time period)?
Thank you,
Buzai Andras
On Mon, Jul 12, 2010 at 5:35 PM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2010-07-12 at 00:09 +0300, Buzai Andras wrote:
dovecot unix - n n - - pipe flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo /usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
When you say that: * "Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell)."*,
do you refer to the postfix user or to the user specified in the master.cffile ( *mysudoeruser* in my case)?
mysudoeruser (that's who you gave sudo access, right?)
In my configuration the user "mysudoeruser" is a dedicated user only for this action and it is not allowed to login, etc ...
So basically for somebody to gain root access it should compromise the "mysudoeruser" dedicated user, right?
Yeah.
Would you use this setup in a production environment? :)
I guess it's not too bad. But I'd switch to LMTP once you've upgraded to Dovecot v2.0.
On 2010-07-12 1:20 PM, Buzai Andras wrote:
When should I expect the final (production ready) release of Dovecot 2 (an approximate time period)?
Sometime between now, and when it is released. ;)
This is free software, and is released when it is ready...
Since it is at rc2, I think you can safely ass-u-me that it will be 'soon' - although in the early days , I remember rc's that numbered as high as in the 30's...
--
Best regards,
Charles
Hi,
I have one more question. It may sound like a dumb question but I'll ask anyway :). Since in Dovecot v2.0, LMTP is running as "root" isn't this a security risk of the same level as running "deliver" with sudo in Dovecot v1.2?
Thank you,
Buzai Andras
On Mon, Jul 12, 2010 at 5:35 PM, Timo Sirainen <tss@iki.fi> wrote:
On Mon, 2010-07-12 at 00:09 +0300, Buzai Andras wrote:
dovecot unix - n n - - pipe flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo /usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
When you say that: * "Basically the user that calls deliver via sudo has the ability to gain root privileges (e.g. by telling deliver to load a plugin that execs a shell)."*,
do you refer to the postfix user or to the user specified in the master.cffile ( *mysudoeruser* in my case)?
mysudoeruser (that's who you gave sudo access, right?)
In my configuration the user "mysudoeruser" is a dedicated user only for this action and it is not allowed to login, etc ...
So basically for somebody to gain root access it should compromise the "mysudoeruser" dedicated user, right?
Yeah.
Would you use this setup in a production environment? :)
I guess it's not too bad. But I'd switch to LMTP once you've upgraded to Dovecot v2.0.
On Mon, 2010-07-12 at 23:33 +0300, Buzai Andras wrote:
I have one more question. It may sound like a dumb question but I'll ask anyway :). Since in Dovecot v2.0, LMTP is running as "root" isn't this a security risk of the same level as running "deliver" with sudo in Dovecot v1.2?
LMTP runs as root and temporarily drops privileges while delivering mail to user. Depending on your point of view that's either better or worse than sudo deliver.
It's better because there is no user that must be trusted. Only communication to LMTP server goes via LMTP protocol.
It's worse because if there is a security hole in Dovecot's mailbox handling code, a remote user can get root privileges by simply sending a mail to the server. (With deliver it would get access only to the non-root user running deliver, which may be almost as bad.)
participants (3)
-
Buzai Andras
-
Charles Marcus
-
Timo Sirainen