[Dovecot] imapc vs auth-userdb security
Hello,
with imapc settings coming from userdb (individual configuration necessary) there exists a security problem if access to auth-userdb socket is given to normal (shell) users:
testuser@host:~$ doveadm user user1 userdb: lpmail uid : 1000 gid : 1111 home : /home/user1 namespace : gmail namespace/gmail/list: yes namespace/gmail/subscriptions: no namespace/gmail/separator: . namespace/gmail/prefix: INBOX.gmail. namespace/gmail/location: imapc:~/Maildir/gmail imapc_host: imap.gmail.com imapc_user: someuser@gmail.com imapc_password: cleartextpassword! imapc_ssl : imaps imapc_ssl_ca_dir: /etc/ssl/certs imapc_port: 993
Lutz
On 14.9.2011, at 14.40, Lutz Preßler wrote:
with imapc settings coming from userdb (individual configuration necessary) there exists a security problem if access to auth-userdb socket is given to normal (shell) users:
So don't give it to them? :) Actually this should be pretty much solved with v2.1 defaults. If the auth-userdb socket is 0666 root:root (default now), it requires that the calling process either has root user/group privileges or its uid matches the one returned by userdb, otherwise it won't return any fields.
On Mi, 14 Sep 2011, Timo Sirainen wrote:
On 14.9.2011, at 14.40, Lutz Preßler wrote:
with imapc settings coming from userdb (individual configuration necessary) there exists a security problem if access to auth-userdb socket is given to normal (shell) users:
So don't give it to them? :) Actually this should be pretty much solved with v2.1 defaults. If the auth-userdb socket is 0666 root:root (default now), it requires that the calling process either has root user/group privileges or its uid matches the one returned by userdb, otherwise it won't return any fields. I had to change that because of shared mailboxes and usage of %%h. Maybe one could return only home if uid does not match?
Lutz
On Wed, 2011-09-14 at 13:57 +0200, Lutz Preßler wrote:
On Mi, 14 Sep 2011, Timo Sirainen wrote:
On 14.9.2011, at 14.40, Lutz Preßler wrote:
with imapc settings coming from userdb (individual configuration necessary) there exists a security problem if access to auth-userdb socket is given to normal (shell) users:
So don't give it to them? :) Actually this should be pretty much solved with v2.1 defaults. If the auth-userdb socket is 0666 root:root (default now), it requires that the calling process either has root user/group privileges or its uid matches the one returned by userdb, otherwise it won't return any fields. I had to change that because of shared mailboxes and usage of %%h. Maybe one could return only home if uid does not match?
Well, you could also solve it by making it 0660 with group=dovecot and then set mail_access_groups=dovecot.
participants (2)
-
Lutz Preßler
-
Timo Sirainen