[Dovecot] Dovecot "deliver" with multiple UIDs (security question)

Timo Sirainen tss at iki.fi
Sun Jul 11 21:58:52 EEST 2010

On Sat, 2010-07-10 at 12:30 +0300, Buzai Andras wrote:

> I only call the deliver with sudo from inside Postfix and the sudoer user is
> only allowed to sudo on the deliver binary.
> My question is:
> Is this solution secure? Can It be used on a production environment?
> What exactly happens in the background from the time I call "deliver" with
> sudo, to the time the delivery is finished?

deliver starts as root, does userdb lookup, drops privileges and then
all is ok.

The main problem is that while deliver is running as root at startup, it
can be told to do bad things. Basically the user that calls deliver via
sudo has the ability to gain root privileges (e.g. by telling deliver to
load a plugin that execs a shell).

With v2.0 you could use LMTP without these kind of problems.

More information about the dovecot mailing list