[Dovecot] valid_chroot_dirs question
Hello,
I've got a dovecot setup using PAM and real system users. In this setup I also use pure-ftpd to give local users ftp access to their $HOMEs. To have pure-ftpd chroot into the user home i replaced /home/user with /home/user/./ in /etc/passwd. Unfortunately this breaks Dovecot this way:
Oct 23 18:18:20 localhost dovecot: Invalid chroot directory '/home/foo' (user foo) (see valid_chroot_dirs in config file)
and dovecot.conf says
# ':' separated list of directories under which chrooting is allowed for mail # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). # This setting doesn't affect login_chroot or auth_chroot variables. # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. See doc/configuration.txt for more information. #valid_chroot_dirs =
Now if I set
valid_chroot_dirs = /home
everything works, but the WARNING pretty much scares me since user foo HAS shell access. Is this safe? Is there a way to avoid this? Why I can't chroot to /home/foo/./ if I can to /home/foo ?
I'm on 1.0rc10
thanks
On Mon, 2006-10-23 at 18:32 +0200, Luca Corti wrote:
# ':' separated list of directories under which chrooting is allowed for mail # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). # This setting doesn't affect login_chroot or auth_chroot variables. # WARNING: Never add directories here which local users can modify, that # may lead to root exploit. Usually this should be done only if you don't # allow shell access for users. See doc/configuration.txt for more information. #valid_chroot_dirs =
Now if I set
valid_chroot_dirs = /home
everything works, but the WARNING pretty much scares me since user foo HAS shell access. Is this safe? Is there a way to avoid this? Why I can't chroot to /home/foo/./ if I can to /home/foo ?
Well, the warning is perhaps a bit too cautious. As long as
- Dovecot has no security holes
- You're not giving users the possibility to run all kinds of system commands via IMAP (can't see a reason to do that..)
there shouldn't be any problems.
Also if the /home partition is mounted with nosuid option it's always safe.
The problem is that a user can hardlink a setuid binary (eg. /bin/su) inside the chroot and create his own lib/libc.so. After that it's only needed to be executed inside chroot.
participants (2)
-
Luca Corti
-
Timo Sirainen