[Dovecot] Solving CVE-2008-4870
Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is world readable - possible password exposure.
This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available for everyone since dovecot.conf has world readable permissions.
(In CVE's description is note that it RHEL's/Fedora's problem, but it affects all systems imo)
We was thinking about few ways how to fix it:
0640 permissions for dovecot.conf - but it can became not readable for dovecot
0640 root:mail and set deliver to group mail with sgid - possible security problem
don't store passphrase in dovecot.conf, just ask for it when dovecot's started - can hang boot process, not good
As part of investigating, I've found dovecot is storing all variables in environment variables - it means even passphrase? I'm not completely sure, but all variables can be read via /proc/<pid>/environ (I don't know if it becomes readable in some circumstances.)
Is there any plan to solve this problem?
Cheers,
Michal
Hello,
Michal Hlavinka wrote (13 Nov 2008 11:03:48 GMT) :
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is world readable - possible password exposure.
This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available for everyone since dovecot.conf has world readable permissions.
(In CVE's description is note that it RHEL's/Fedora's problem, but it affects all systems imo)
We was thinking about few ways how to fix it:
- 0640 permissions for dovecot.conf - but it can became not readable for dovecot
File-system ACL's are usually my preferred solution for this class of problems (i.e. set 0640 permissions, and add read access for the dovecot user via ACL's).
But it may not be applicable from a distribution point of view, since it's hard to guarantee that the file-system where /etc lives is mounted with ACL's enabled, or even supports them.
It may be a good long-term idea for distributions to migrate installed systems to ACL-enabled root file-systems, and to enable them by default on new installs. Once it's done, this whole class of problems will find a natural and easily applicable solution.
Bye,
intrigeri intrigeri@boum.org | gnupg key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | Do not be trapped by the need to achieve anything. | This way, you achieve everything.
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
world readable - possible password exposure.This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available
for everyone since dovecot.conf has world readable permissions.
Maybe a new separate dovecot-secret.conf? When Dovecot starts up it
first reads dovecot.conf and after that dovecot-secret.conf. deliver
wouldn't read dovecot-secret.conf at all.
On Thu, 2008-11-13 at 15:57 +0200, Timo Sirainen wrote:
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:
Hi,
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
world readable - possible password exposure.This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available
for everyone since dovecot.conf has world readable permissions.Maybe a new separate dovecot-secret.conf? When Dovecot starts up it
first reads dovecot.conf and after that dovecot-secret.conf. deliver
wouldn't read dovecot-secret.conf at all.
Added !include and !include_try: http://hg.dovecot.org/dovecot-1.1/rev/5f471f5b06d2 http://hg.dovecot.org/dovecot-1.1/rev/313d1195318f
deliver will currently just skip !include_try lines and gives an error if !include is tried to be used. So for now it's not a good idea to start using !include in default settings. :)
participants (3)
-
intrigeri
-
Michal Hlavinka
-
Timo Sirainen