[Dovecot] Dovecot "deliver" with multiple UIDs (security question)

Buzai Andras buzai.andras at gmail.com
Mon Jul 12 00:09:29 EEST 2010


Hi,

My master.cf Postfix file contains the following entry for this:

dovecot  unix  -       n       n       -       -       pipe
  flags=DRhu user=*mysudoeruser* argv=/usr/bin/sudo /usr/lib/dovecot/deliver
-f ${sender} -d ${recipient}

When you say that:
*
 "Basically the user that calls deliver via sudo has the ability to gain
root privileges (e.g. by telling deliver to
load a plugin that execs a shell)."*,

do you refer to the postfix user or to the user specified in the master.cffile (
*mysudoeruser* in my case)?
In my configuration the user "mysudoeruser" is a dedicated user only for
this action and it is not allowed to login, etc ...

So basically for somebody to gain root access it should compromise the
"mysudoeruser" dedicated user, right?

Would you use this setup in a production environment? :)

Thank you,

Buzai Andras

On Sun, Jul 11, 2010 at 9:58 PM, Timo Sirainen <tss at iki.fi> wrote:

> On Sat, 2010-07-10 at 12:30 +0300, Buzai Andras wrote:
>
> > I only call the deliver with sudo from inside Postfix and the sudoer user
> is
> > only allowed to sudo on the deliver binary.
> >
> > My question is:
> > Is this solution secure? Can It be used on a production environment?
> > What exactly happens in the background from the time I call "deliver"
> with
> > sudo, to the time the delivery is finished?
>
> deliver starts as root, does userdb lookup, drops privileges and then
> all is ok.
>
> The main problem is that while deliver is running as root at startup, it
> can be told to do bad things. Basically the user that calls deliver via
> sudo has the ability to gain root privileges (e.g. by telling deliver to
> load a plugin that execs a shell).
>
> With v2.0 you could use LMTP without these kind of problems.
>
>


More information about the dovecot mailing list