[Dovecot] Why can NOT login as root
Hi i use Dovecot and it works ok for users except for root user. It is impossible to login as root Here is a log
Sep 10 10:15:44 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 10 10:15:44 auth: Debug: auth client connected (pid=18077) Sep 10 10:15:44 auth: Debug: client in: AUTH 1 PLAIN service=imap secured lip=212.97.133.82 rip=212.97.133.82 lport=143 rport=34645 resp=<hidden> Sep 10 10:15:44 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 10 10:15:44 auth: Debug: pam(root,212.97.133.82): lookup service=dovecot Sep 10 10:15:44 auth: Debug: pam(root,212.97.133.82): #1/1 style=1 msg=Password: Sep 10 10:15:44 auth: Debug: client out: OK 1 user=root Sep 10 10:15:44 auth: Debug: master in: REQUEST 2889482241 18077 1 3500554cf70742dfc0515671c7671bbd Sep 10 10:15:44 auth: Debug: passwd(root,212.97.133.82): lookup Sep 10 10:15:44 auth: Debug: master out: USER 2889482241 root system_groups_user=root uid=0 gid=0 home=/root Sep 10 10:15:44 imap-login: Info: Login: user=<root>, method=PLAIN, rip=212.97.133.82, lip=212.97.133.82, mpid=18082, secured Sep 10 10:15:44 imap: Error: user root: Invalid settings in userdb: userdb returned 0 as uid Sep 10 10:15:44 imap: Error: Invalid user settings. Refer to server log for more information.
Can anyone help? Thanks LL.
On 09/10/2011 10:04 AM jana1972@centrum.cz wrote:
Hi i use Dovecot and it works ok for users except for root user. It is impossible to login as root Here is a log … Sep 10 10:15:44 imap: Error: user root: Invalid settings in userdb: userdb returned 0 as uid Sep 10 10:15:44 imap: Error: Invalid user settings. Refer to server log for more information.
Can anyone help?
http://hg.dovecot.org/dovecot-1.2/file/02c2ac9ddf8c/dovecot-example.conf:
374 # Valid UID range for users, defaults to 500 and above. This is mostly 375 # to make sure that users can't log in as daemons or other system users. 376 # Note that denying root logins is hardcoded to dovecot binary and can't 377 # be done even if first_valid_uid is set to 0.
Regards, Pascal
The trapper recommends today: cafebabe.1125310@localdomain.org
As far as I recall, IMAP servers generally don't allow access to root.
According to the Dovecot wiki, this is hard-coded in the binary: http://wiki.dovecot.org/MainConfig see under "first_valid_uid"
If the root user is receiving emails, these need to be redirected to another user so they can be read via IMAP.
John
On 10/09/2011 10:04, jana1972@centrum.cz wrote:
Hi i use Dovecot and it works ok for users except for root user. It is impossible to login as root Here is a log
Sep 10 10:15:44 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 10 10:15:44 auth: Debug: auth client connected (pid=18077) Sep 10 10:15:44 auth: Debug: client in: AUTH 1 PLAIN service=imap secured lip=212.97.133.82 rip=212.97.133.82 lport=143 rport=34645 resp=<hidden> Sep 10 10:15:44 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Sep 10 10:15:44 auth: Debug: pam(root,212.97.133.82): lookup service=dovecot Sep 10 10:15:44 auth: Debug: pam(root,212.97.133.82): #1/1 style=1 msg=Password: Sep 10 10:15:44 auth: Debug: client out: OK 1 user=root Sep 10 10:15:44 auth: Debug: master in: REQUEST 2889482241 18077 1 3500554cf70742dfc0515671c7671bbd Sep 10 10:15:44 auth: Debug: passwd(root,212.97.133.82): lookup Sep 10 10:15:44 auth: Debug: master out: USER 2889482241 root system_groups_user=root uid=0 gid=0 home=/root Sep 10 10:15:44 imap-login: Info: Login: user=<root>, method=PLAIN, rip=212.97.133.82, lip=212.97.133.82, mpid=18082, secured Sep 10 10:15:44 imap: Error: user root: Invalid settings in userdb: userdb returned 0 as uid Sep 10 10:15:44 imap: Error: Invalid user settings. Refer to server log for more information.
Can anyone help? Thanks LL.
John Allen wrote:
As far as I recall, IMAP servers generally don't allow access to root.
According to the Dovecot wiki, this is hard-coded in the binary: http://wiki.dovecot.org/MainConfig see under "first_valid_uid"
If the root user is receiving emails, these need to be redirected to another user so they can be read via IMAP.
I guess the source needs a patch.
Why would dovecot choose to play nursemaid to people who want to read
root email remotely via IMAPS?
I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users.
Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits).
This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets.
That is NOT remotely a secure design -- Not that it "allows login to those w/caps", but that it bogusly tries to invalidate site-security policies that it doesn't like
Samba has done this and actually disparages people who don't use conventional security policies 'insecure', when those same people can point out a multitude of ways samba can be easily -- in the ways that the samba team, _recommend_, that samba can be accidentally or surreptitiously configured insecurely. When it is asked why alternate security policies are insecure -- they change the subject and agree grudgingly to re-allow 'banned' commands under options like "allow insecure XXXX"...
Trying to 'play nursemaid' to users is a bad security policy -- since as soon you (like samba team leader said, "we had to make it impossible to configure samba insecurely", you are asking for trouble; cuz then users think they don't have to worry about how they config things, it will always be secure...and we know that is very untrue!
On 20.9.2011, at 2.22, Linda Walsh wrote:
I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users.
Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen.
Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails.
Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits).
This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets.
Rare, and in such cases irrelevant.
On Tue, 20 Sep 2011 02:50:32 +0300, Timo Sirainen wrote:
On 20.9.2011, at 2.22, Linda Walsh wrote:
I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users.
Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen.
Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails.
Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits).
This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets.
Rare, and in such cases irrelevant.
On Tue, 20 Sep 2011 13:49:23 +1000, Alex wrote:
On Tue, 20 Sep 2011 02:50:32 +0300, Timo Sirainen wrote:
On 20.9.2011, at 2.22, Linda Walsh wrote:
I can log in via SSH, so why not allow it with secure IMAP? I suppose really, if someone wants to run as root with no password dovecot should be **configurable** to allow this -- as we can't always understand the needs of end users.
Because there's no good reason to read mails as root. If you can give me a good reason I might reconsider, but I highly doubt that's going to happen.
Anyway it's mainly about making sure that in the case of some internal security hole (or misconfiguration) in Dovecot at least that security hole couldn't be leveraged to gain root privileges that would allow reading everyone's mails.
Example. You have a system on which root uid=0 means nothing (assigns no privs -- all assigned via privilege/capability bits).
This means dovecot is hardcoded to lock out a user that may have no privileges, but has no prob permitting access to those with full Capability/priv sets.
Rare, and in such cases irrelevant.
On 09/20/2011 01:22 AM Linda Walsh wrote:
I guess the source needs a patch. Why would dovecot choose to play nursemaid to people who want to read root email remotely via IMAPS?
…
So, why do you not simply create and apply the patch? Dovecot is OSS. You are free to modify it in order to satisfy your special requirements.
EOD Pascal
The trapper recommends today: f007ba11.1126301@localdomain.org
On 2011-09-19 7:22 PM, Linda Walsh <dovecot@tlinx.org> wrote:
If the root user is receiving emails, these need to be redirected to another user so they can be read via IMAP.
I guess the source needs a patch.
Only if you like wasting your time.
Why would dovecot choose to play nursemaid to people who want to read root email remotely via IMAPS?
It is generally considered 'standard procedure' to alias root to another user account for mail. That's one of the first things I do when setting up a new server, whether it is a mail server or other...
--
Best regards,
Charles
participants (7)
-
Alex
-
Charles Marcus
-
jana1972@centrum.cz
-
John Allen
-
Linda Walsh
-
Pascal Volk
-
Timo Sirainen