[Dovecot] How to achieve proper privilege separation?
Timo Sirainen
tss at iki.fi
Thu Feb 23 07:29:36 EET 2012
On 23.2.2012, at 7.20, Tóth Attila wrote:
> I'm using a simple mbox config with regular Unix users and pam
> authentication.
>
> I'm also using grsecurity. That's why I see what dovecot does in which
> users' name. As times goes by and new versions are coming I can
> frustratedly see, that more and more tasks are performed as root. Why?
Less tasks should be running as root now. The master process code is a lot smaller.
> When I used 1.x series of Dovecot, imap process started in the name of the
> user whose mbox was accessed.
> Now I can see, that nearly every task is performed by root. Why? It even
> tampers with the mail directories of each user as root instead of the user
> as it was usual long before.
The imap process starts as root, does a userdb lookup and then drops privileges to that user. It worked this way before too, only the userdb lookup code was done by master process.
More information about the dovecot
mailing list