[Dovecot] How to achieve proper privilege separation?

Thu Feb 23 10:03:37 EET 2012

Unfortunately I can see, that in my case /usr/libexec/dovecot/imap
accesses both the inbox and the mail directories of the user as root.
Moreover, it creates the lock file as root. I can see no process running
as the user.

How could I teach dovecot to start the imap process as the user. What
configuration options I should blame?

Thx:
Dw.

dovecot -n
# 2.0.17 (684381041dc4+): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.6-hardened i686 Gentoo Base System release 2.0.3
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_worker_max_count = 16
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_gid = 99
first_valid_uid = 1000
hostname =
last_valid_gid = 65533
last_valid_uid = 1003
listen = *
mail_access_groups = mail
mail_full_filesystem_access = yes
mail_gid = mail
mail_location = mbox:~/mail/:INBOX=/var/spool/mail/%u
mail_max_keyword_length = 150
mail_privileged_group = mail
mail_uid = mail
passdb {
  args = *
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster@
protocols = imap
service auth-worker {
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  service_count = 1
  vsz_limit = 16 M
}
service imap {
  process_limit = 4
  vsz_limit = 64 M
}
ssl_cert = </etc/apache2/ssl/cert.pem
ssl_key = </etc/apache2/ssl/key.pem
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol lda {
  mail_plugins = sieve
}
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
  imap_max_line_length = 64 k
}

-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2012.Február 23.(Cs) 06:29 időpontban Timo Sirainen ezt írta:
> On 23.2.2012, at 7.20, Tóth Attila wrote:
>
>> I'm using a simple mbox config with regular Unix users and pam
>> authentication.
>>
>> I'm also using grsecurity. That's why I see what dovecot does in which
>> users' name. As times goes by and new versions are coming I can
>> frustratedly see, that more and more tasks are performed as root. Why?
>
> Less tasks should be running as root now. The master process code is a lot
> smaller.
>
>> When I used 1.x series of Dovecot, imap process started in the name of
>> the
>> user whose mbox was accessed.
>> Now I can see, that nearly every task is performed by root. Why? It even
>> tampers with the mail directories of each user as root instead of the
>> user
>> as it was usual long before.
>
> The imap process starts as root, does a userdb lookup and then drops
> privileges to that user. It worked this way before too, only the userdb
> lookup code was done by master process.
>
>