[Dovecot] Chrooting dovecot.
Greetings, I have installed Dovecot under FreeBSD 5_3 It is pretty impressive. I got SSL working with no problem for both imap and pop3. Besides that I do still want to chroot Dovecot. I noticed that there are some options in the dovecot.conf that are intended for this. Unfortunately online resources on how to do that can't be found on google. Although I'm running the server as user dovecot. I still do have this:
dovecot pop3-login 491 1 tcp4 10.0.1.4:995 *:* dovecot pop3-login 490 1 tcp4 10.0.1.4:995 *:* dovecot pop3-login 489 1 tcp4 10.0.1.4:995 *:* dovecot imap-login 488 1 tcp4 10.0.1.4:993 *:* dovecot imap-login 487 1 tcp4 10.0.1.4:993 *:* dovecot imap-login 486 1 tcp4 10.0.1.4:993 *:* root dovecot 481 5 tcp4 10.0.1.4:993 *:* root dovecot 481 6 tcp4 10.0.1.4:995 *:*
Fine for the first six lines it's doing what it's doing. But the last two lines are running as root. That is why I want to chroot the server. I would like if anyone can point me to some howto or notes on how to do so. If there is none I will have to configure a jail just for this purpose.
Thanks in advance.
-- Regards,
On Sun, 2005-03-13 at 23:41 -0800, BSD Mail wrote:
root dovecot 481 5 tcp4 10.0.1.4:993 *:* root dovecot 481 6 tcp4 10.0.1.4:995 *:*
Fine for the first six lines it's doing what it's doing. But the last two lines are running as root. That is why I want to chroot the server. I would like if anyone can point me to some howto or notes on how to do so. If there is none I will have to configure a jail just for this purpose.
The chrooting options in config file are meant for chrooting login, auth, imap and pop3 processes. By default it's chrooting login processes. Having the master process itself chrooted isn't supported..
Does FreeBSD prevent root user from escaping chroot? Last I heard Linux didn't even try.
On Tue, 2005-03-15 at 23:19 +0200, Timo Sirainen wrote:
On Sun, 2005-03-13 at 23:41 -0800, BSD Mail wrote:
root dovecot 481 5 tcp4 10.0.1.4:993 *:* root dovecot 481 6 tcp4 10.0.1.4:995 *:*
Fine for the first six lines it's doing what it's doing. But the last two lines are running as root. That is why I want to chroot the server. I would like if anyone can point me to some howto or notes on how to do so. If there is none I will have to configure a jail just for this purpose.
The chrooting options in config file are meant for chrooting login, auth, imap and pop3 processes. By default it's chrooting login processes. Having the master process itself chrooted isn't supported..
Does FreeBSD prevent root user from escaping chroot? Last I heard Linux didn't even try.
FreeBSD "jails", I gather, are more effective than chroot().
Similar in concept to Solaris 10's new "Zones".
chroot() is better than nothing, in some cases though. A measure doesn't have to be 100% effective, to be worth bothering with.
On Tue, Mar 15, 2005 at 11:19:59PM +0200, Timo Sirainen wrote:
On Sun, 2005-03-13 at 23:41 -0800, BSD Mail wrote:
root dovecot 481 5 tcp4 10.0.1.4:993 *:* root dovecot 481 6 tcp4 10.0.1.4:995 *:*
Fine for the first six lines it's doing what it's doing. But the last two lines are running as root. That is why I want to chroot the server. I would like if anyone can point me to some howto or notes on how to do so. If there is none I will have to configure a jail just for this purpose.
The chrooting options in config file are meant for chrooting login, auth, imap and pop3 processes. By default it's chrooting login processes. Having the master process itself chrooted isn't supported..
Does FreeBSD prevent root user from escaping chroot? Last I heard Linux didn't even try.
The whole point is that once you use chroot() then you're supposed to drop privs.
participants (4)
-
Brad
-
BSD Mail
-
Dan Stromberg
-
Timo Sirainen