[Dovecot] [PATCH] drop root privileges on solaris, request for testing
Hello all,
this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot.
Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :)
Best regards.
On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote:
Hello all,
this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot.
Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :)
Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :)
On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote:
On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote:
Hello all,
this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot.
Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :)
Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :)
I have no objections for this plan :)
Andrey Panin wrote:
On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote:
On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote:
Hello all,
this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot.
Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :)
I have no objections for this plan :)
Sorry I missed this when first announced (wasn't paying attention I guess).
I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges.
We actually run our live Dovecot on a Solaris 8 box, but Solaris 8 doesn't support setppriv, I think.
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
On 353, 12 18, 2008 at 12:50:11PM +0000, Chris Wakelin wrote:
Andrey Panin wrote:
On 349, 12 14, 2008 at 08:03:25AM +0200, Timo Sirainen wrote:
On Fri, 2008-11-21 at 15:30 +0300, Andrey Panin wrote:
Hello all,
this patch allows master process to drop more root priveleges under Solaris. My limited testing shows that code works, but I'm not sure that defined privilege set is permissive enough for dovecot.
Unfortunately I have no root access to our Solaris servers to really test it. So if someone is ready to test this patch please do it :) Since no-one's offered to test perhaps I'll just put this into v1.2 and see if anyone complains? :)
I have no objections for this plan :)
Sorry I missed this when first announced (wasn't paying attention I guess).
I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges.
Can you try running "ppriv -D dovecot" to determine which privilege is missing ?
We actually run our live Dovecot on a Solaris 8 box, but Solaris 8 doesn't support setppriv, I think.
Andrey Panin wrote:
I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges.
Can you try running "ppriv -D dovecot" to determine which privilege is missing ?
Difficult as the dovecot master process dies as soon as the dovecot-auth process ends. I ran a "truss -f" on it though and found:
26409: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0400000000000000}) = 0 26409: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0400000000000000}) = 0
...
26411: setgroups(11, 0x0006C290) Err#1 EPERM [proc_setid] 26411: write(2, "01 F i n i t g r o u p s".., 40) = 40 26411: _exit(89)
From the setgroups manpage:
ERRORS The getgroups() and setgroups() functions will fail if: ... EPERM The {PRIV_PROC_SETID} privilege is not asserted in the effective set of the calling process.
I tried omitting PRIV_PROC_SETID from the list in capabilities-solaris.c but that doesn't seem to make much difference except
19468: setppriv(PRIV_SET, PRIV_PERMITTED, {0250004b0000000000000000}) = 0 19468: setppriv(PRIV_SET, PRIV_EFFECTIVE, {0250004b0000000000000000}) = 0
I don't know much about process privileges, but could it be that the dovecot-auth subprocess isn't inheriting the privileges from the master process?
I can send you the whole truss files if you like.
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Chris Wakelin wrote:
Andrey Panin wrote:
I've applied the patch to Dovecot 1.1.7 (with minor change to configure.in) on Solaris 10 sparc 64-bit but Dovecot fails on startup
dovecot: Dec 18 12:45:47 Info: Dovecot v1.1.7 starting up dovecot: Dec 18 12:45:47 Fatal: auth(default): initgroups(root, 0) failed: Not owner dovecot: Dec 18 12:45:47 Fatal: Auth process died too early - shutting down
The same config with vanilla Dovecot 1.1.7 works fine, so I'm guessing it dropped too many privileges. Can you try running "ppriv -D dovecot" to determine which privilege is missing ?
Aha! I found out why that didn't work; needs "-e".
# ppriv -D -e dovecot dovecot[19610]: missing privilege "ALL" (euid = 65534, syscall = 23) needed at setuid+0x98 dovecot[19610]: missing privilege "proc_setid" (euid = 65534, syscall = 46) needed at setgid+0x9c imap[19610]: missing privilege "ALL" (euid = 65534, syscall = 23) needed at setuid+0x98
# ppriv -D -s +proc_setid -e dovecot dovecot[19632]: missing privilege "ALL" (euid = 65534, syscall = 23) needed at setuid+0x98 Fatal: We couldn't drop root group privileges (wanted=65534, gid=0, egid=0) Error: imap dump-capability process returned 89 Fatal: Invalid configuration in dovecot.conf
I'm confused as to whether the list in capabilities-solaris.c is privileges to drop or privileges to set?
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
participants (3)
-
Andrey Panin
-
Chris Wakelin
-
Timo Sirainen