[Dovecot] Solving CVE-2008-4870
mhlavink at redhat.com
Thu Nov 13 13:03:48 EET 2008
we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is
world readable - possible password exposure.
This problem seems to be little more complicated than we thought.
dovecot.conf can contain passphrase for ssl key, which is available for
everyone since dovecot.conf has world readable permissions.
(In CVE's description is note that it RHEL's/Fedora's problem, but it
affects all systems imo)
We was thinking about few ways how to fix it:
1) 0640 permissions for dovecot.conf - but it can became not readable
2) 0640 root:mail and set deliver to group mail with sgid - possible
3) don't store passphrase in dovecot.conf, just ask for it when
dovecot's started - can hang boot process, not good
As part of investigating, I've found dovecot is storing all variables in
environment variables - it means even passphrase? I'm not completely
sure, but all variables can be read via /proc/<pid>/environ (I don't
know if it becomes readable in some circumstances.)
Is there any plan to solve this problem?
More information about the dovecot