[Dovecot] Permission denied

Matthias Andree matthias.andree at gmx.de
Sun Jul 13 04:16:38 EEST 2003 

Timo Sirainen <tss at iki.fi> writes:

> Anyway, home directory isn't required information from auth process. I
> think I'll chdir to /tmp if it isn't given.

I wonder if core dumps (if any) of an authenticator process belong in
/tmp -- /tmp is anarchy area and must be treated with care. umask(077)
is the minimum to make sure no other user can harvest passwords from the
core file.

>> Make sure you don't add ANY branches between the seteuid() calls, no
>> mistakes must happen there.
>
> Why? I don't see how dropped privileges can cause much problems.

seteuid doesn't drop privileges, but temporarily puts them aside, while
the real and saved user ID remain zero. seteuid(0) restores root
permissions if you had them, and is a standard procedure in escalating
privileges after a break-in.

If you need to _permanently_ drop privileges so they cannot be restored,
use setuid or setresuid.

> The error handling I would do is just to write to already opened log
> file and exit(). seteuid() calls also need handling.. How about this:
>
> 	if (*home_dir != '\0') {
> 		full_home_dir = *chroot_dir == '\0' ? home_dir :
> 			t_strconcat(chroot_dir, "/", home_dir, NULL);
> 		/* NOTE: if home directory is NFS-mounted, we might not
> 		   have access to it as root. Change the effective UID
> 		   temporarily to make it work. */
> 		if (reply->uid != master_uid && seteuid(reply->uid) < 0)
> 			i_fatal("seteuid(%s) failed: %m", dec2str(reply->uid));
> 		ret = chdir(full_home_dir);
> 		if (reply->uid != master_uid && seteuid(master_uid) < 0)
> 			i_fatal("seteuid(%s) failed: %m", dec2str(master_uid));
> 		if (ret < 0) {
> 			i_fatal("chdir(%s) failed with uid %s: %m",
> 				full_home_dir, dec2str(reply->uid));
> 		}

The part above looks OK provided that i_fatal is simple.

> 	} else {
> 		/* We still have to change to some directory where we have
> 		   rx-access. /tmp should exist everywhere. */
> 		if (chdir("/tmp") < 0)
> 			i_fatal("chdir(/tmp) failed: %m");
> 	}

I don't like /tmp, see above. I'd feel more comfortable with a directory
that only dovecot has access to, rather than /tmp.

-- 
Matthias Andree

More information about the dovecot mailing list