[Dovecot] Chrooting the Mail processes
Hello!
Could somebody give some feedback on this configuration:
- OpenBSD box with local ssh users.
- /home directory mounted with nosuid,noexec.
- postfix dropping mail in /home/username/mail/INBOX, with the UID/GID of the user.
- dovecot: valid_chroot_dirs = /home default_mail_env = mbox:/home/%u/mail/:INBOX=/home/%u/mail/INBOX
Are there any obvious ways for a local user to help dovecot escape the chroot jail? How can I check that dovecot is REALLY using /home as chroot jail for the imap process?
Thanks!
Bert Koelewijn
On Sun, 2003-08-24 at 15:49, Bert Koelewijn wrote:
valid_chroot_dirs = /home default_mail_env = mbox:/home/%u/mail/:INBOX=/home/%u/mail/INBOX
Are there any obvious ways for a local user to help dovecot escape the chroot jail?
Not really. They can of course create hardlinks elsewhere in /home.
How can I check that dovecot is REALLY using /home as chroot jail for the imap process?
It's not chrooting anywhere yet with those settings. Hmm. I think I'd need to add "mail_chroot" setting which would specify the default chroot.
For now you'd have to change user's home directories to contain /./ to speficy chroot. Like "/home/./user".
Timo, I think you forgot to post some diff's: MEMBER(valid_chroot_dirs) NULL, MEMBER(mail_chroot) ... and this can't be right: static int validate_chroot(const char *dir) { const char *const *chroot_dirs; if (*dir == '\0') return FALSE; if (set->valid_chroot_dirs == NULL) return FALSE; and some more I guess. But thanks for your fast reply anyway! Bert Timo Sirainen wrote:
On Sun, 2003-08-24 at 16:07, Timo Sirainen wrote:
It's not chrooting anywhere yet with those settings. Hmm. I think I'd need to add "mail_chroot" setting which would specify the default chroot.
Here's a patch.
------------------------------------------------------------------------
diff -ru dovecot-0.99.10/dovecot-example.conf dovecot-0.99.10.new/dovecot-example.conf --- dovecot-0.99.10/dovecot-example.conf 2003-06-26 19:11:06.000000000 +0300 +++ dovecot-0.99.10.new/dovecot-example.conf 2003-08-24 16:11:56.000000000 +0300 @@ -166,6 +166,10 @@ # allow shell access for users. See doc/configuration.txt for more information. #valid_chroot_dirs =
+# Default chroot directory for mail processes. This can be overridden by +# giving /./ in user's home directory (eg. /home/./user chroots into /home). +#mail_chroot = + # Default MAIL environment to use when it's not set. By leaving this empty # dovecot tries to do some automatic detection as described in # doc/mail-storages.txt. There's a few special variables you can use: diff -ru dovecot-0.99.10/src/master/mail-process.c dovecot-0.99.10.new/src/master/mail-process.c --- dovecot-0.99.10/src/master/mail-process.c 2003-06-25 02:26:44.000000000 +0300 +++ dovecot-0.99.10.new/src/master/mail-process.c 2003-08-24 16:12:34.000000000 +0300 @@ -118,6 +118,9 @@ home_dir = data + reply->home_idx; chroot_dir = data + reply->chroot_idx;
+ if (*chroot_dir == '\0') + chroot_dir = set->mail_chroot; + if (*chroot_dir != '\0' && !validate_chroot(chroot_dir)) { i_error("Invalid chroot directory: %s", chroot_dir); return FALSE; diff -ru dovecot-0.99.10/src/master/master-settings.c dovecot-0.99.10.new/src/master/master-settings.c --- dovecot-0.99.10/src/master/master-settings.c 2003-05-21 14:43:04.000000000 +0300 +++ dovecot-0.99.10.new/src/master/master-settings.c 2003-08-24 16:11:56.000000000 +0300 @@ -43,6 +43,7 @@
/* mail */ DEF(SET_STR, valid_chroot_dirs), + DEF(SET_STR, mail_chroot), DEF(SET_INT, max_mail_processes), DEF(SET_BOOL, verbose_proctitle),
diff -ru dovecot-0.99.10/src/master/master-settings.h dovecot-0.99.10.new/src/master/master-settings.h --- dovecot-0.99.10/src/master/master-settings.h 2003-05-18 15:26:29.000000000 +0300 +++ dovecot-0.99.10.new/src/master/master-settings.h 2003-08-24 16:11:56.000000000 +0300 @@ -29,6 +29,7 @@
/* mail */ const char *valid_chroot_dirs; + const char *mail_chroot; unsigned int max_mail_processes; int verbose_proctitle;
On Sunday, Aug 24, 2003, at 21:17 Europe/Helsinki, Bert Koelewijn wrote:
I think you forgot to post some diff's:
MEMBER(valid_chroot_dirs) NULL, MEMBER(mail_chroot) ...
Oh, forgot to add it myself too. Looks like gcc 3 doesn't anymore complain if some of those are missing.
and this can't be right:
static int validate_chroot(const char *dir) { const char *const *chroot_dirs;
if (*dir == '\0') return FALSE; if (set->valid_chroot_dirs == NULL) return FALSE;
I don't see why not? The point of that function is to return TRUE if given directory is found from valid_chroot_dirs list.
On Monday, Aug 25, 2003, at 02:14 Europe/Helsinki, Timo Sirainen wrote:
static int validate_chroot(const char *dir)
I don't see why not? The point of that function is to return TRUE if given directory is found from valid_chroot_dirs list.
Well, it crashed before calling it :) --- mail-process.c 24 Aug 2003 13:14:47 -0000 1.32 +++ mail-process.c 25 Aug 2003 03:02:49 -0000 1.33 @@ -156,7 +156,7 @@ home_dir = data + reply->home_idx; chroot_dir = data + reply->chroot_idx; - if (*chroot_dir == '\0') + if (*chroot_dir == '\0' && set->mail_chroot != NULL) chroot_dir = set->mail_chroot; if (*chroot_dir != '\0' && !validate_chroot(set, chroot_dir)) {
participants (2)
-
Bert Koelewijn
-
Timo Sirainen