[Dovecot] don't follow symlinks when creating mailbox list
Hi,
this issue was discussed here twice in the not so far history (http://www.dovecot.org/list/dovecot/2008-January/028317.html, http://www.dovecot.org/list/dovecot/2008-February/029147.html), but I need to open it again as it makes problems for our users on one side and on the other side we don't want to diverge from the upstream sources in our packages. I agree with Timo that simply disabling the symlink following in creating the mailbox list can give a false sense of security so the question is whether a permanent solution can be developed and how it should look like?
Regards,
Dan
-- Fedora and Red Hat package maintainer
On Wed, 2008-06-18 at 09:35 +0200, Dan Horák wrote:
this issue was discussed here twice in the not so far history (http://www.dovecot.org/list/dovecot/2008-January/028317.html, http://www.dovecot.org/list/dovecot/2008-February/029147.html), but I need to open it again as it makes problems for our users on one side and on the other side we don't want to diverge from the upstream sources in our packages. I agree with Timo that simply disabling the symlink following in creating the mailbox list can give a false sense of security so the question is whether a permanent solution can be developed and how it should look like?
Permanent solution would be to put your mailboxes in a separate directory where users preferrably don't even have write access, so they can't create broken symlinks.
Other than that, I see only kludgy solutions.
Although I suppose I could consider including a check that keeps track of which directories are scanned and stops if it encounters a loop. Is your problem with loops or just that symlinks point to huge directory structures outside home dir?
Timo Sirainen píše v St 18. 06. 2008 v 12:38 +0300:
On Wed, 2008-06-18 at 09:35 +0200, Dan Horák wrote:
this issue was discussed here twice in the not so far history (http://www.dovecot.org/list/dovecot/2008-January/028317.html, http://www.dovecot.org/list/dovecot/2008-February/029147.html), but I need to open it again as it makes problems for our users on one side and on the other side we don't want to diverge from the upstream sources in our packages. I agree with Timo that simply disabling the symlink following in creating the mailbox list can give a false sense of security so the question is whether a permanent solution can be developed and how it should look like?
Permanent solution would be to put your mailboxes in a separate directory where users preferrably don't even have write access, so they can't create broken symlinks.
Yes, that's true :-)
Other than that, I see only kludgy solutions.
Although I suppose I could consider including a check that keeps track of which directories are scanned and stops if it encounters a loop. Is your problem with loops or just that symlinks point to huge directory structures outside home dir?
The main problem are loops that are taking the imap process into endless search. The February thread contains your workaround (patch) that blocks all symlinks which means even the harmless ones.
Dan
-- Fedora and Red Hat package maintainer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 18 Jun 2008, Dan Horák wrote:
The main problem are loops that are taking the imap process into endless search. The February thread contains your workaround (patch) that blocks all symlinks which means even the harmless ones.
Some people use symlinks to get Shared Folders, therefore I suggest to not ignore symlinks in Dovecot by default.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFIWRVOVJMDrex4hCIRAmFoAJUXwhkD9BnF3VV+l/fb1Yql6aohAJ4243mL ri+o6HK60I9sRkWxGLtPZg== =Go0q -----END PGP SIGNATURE-----
participants (3)
-
Dan Horák
-
Steffen Kaiser
-
Timo Sirainen