secure setup for imap hibernation
Hi.
What's the approach for securely enabling imap hibernation in case when each user uses different uid and gid?
Looks like none and 0666 on hibernation and imap master sockets is the only way?
Thanks,
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
Hi.
What's the approach for securely enabling imap hibernation in case when each user uses different uid and gid?
Looks like none and 0666 on hibernation and imap master sockets is the only way?
Thanks,
That's the only way, yes. Hibernation keeps all connections in same process.
Aki
On Friday 27 of October 2017, Aki Tuomi wrote:
On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
Hi.
What's the approach for securely enabling imap hibernation in case when each user uses different uid and gid?
Looks like none and 0666 on hibernation and imap master sockets is the only way?
Thanks,
That's the only way, yes. Hibernation keeps all connections in same process.
Couldn't dovecot do setgroups(2) to add additional common group to imap/hibernation processes and rely on that for access to sockets (sockets would be root:thatgroup 0660) thus making it a bit more secure?
Non mail related uids/gids wouldn't have access to sockets that way.
Aki
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On 27.10.2017 12:32, Arkadiusz Miśkiewicz wrote:
On Friday 27 of October 2017, Aki Tuomi wrote:
Hi.
What's the approach for securely enabling imap hibernation in case when each user uses different uid and gid?
Looks like none and 0666 on hibernation and imap master sockets is the only way?
Thanks, That's the only way, yes. Hibernation keeps all connections in same
On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote: process. Couldn't dovecot do setgroups(2) to add additional common group to imap/hibernation processes and rely on that for access to sockets (sockets would be root:thatgroup 0660) thus making it a bit more secure?
Non mail related uids/gids wouldn't have access to sockets that way.
Aki
It could. But at the moment it's not, pull request to do this is always welcome. It would also need some way to choose correct socket.
Aki
participants (2)
-
Aki Tuomi
-
Arkadiusz Miśkiewicz