[Dovecot] How to achieve proper privilege separation?

"Tóth Attila" atoth at atoth.sote.hu
Thu Feb 23 07:20:26 EET 2012 

I'm using a simple mbox config with regular Unix users and pam
authentication.

I'm also using grsecurity. That's why I see what dovecot does in which
users' name. As times goes by and new versions are coming I can
frustratedly see, that more and more tasks are performed as root. Why?

When I used 1.x series of Dovecot, imap process started in the name of the
user whose mbox was accessed.
Now I can see, that nearly every task is performed by root. Why? It even
tampers with the mail directories of each user as root instead of the user
as it was usual long before.

Please let me know how should I change the config to make dovecot stop
using root privileges and revert it back to the old behavior.

Thanks for your help:
Dw.

Here's my current config:
dovecot -n
# 2.0.17 (684381041dc4+): /etc/dovecot/dovecot.conf
# OS: Linux 3.2.6-hardened i686 Gentoo Base System release 2.0.3
auth_socket_path = /var/run/dovecot/auth-userdb
auth_verbose = yes
auth_worker_max_count = 16
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
first_valid_gid = 99
first_valid_uid = 1000
hostname = host.name
last_valid_gid = 65533
last_valid_uid = 1003
listen = *
mail_access_groups = mail
mail_full_filesystem_access = yes
mail_gid = mail
mail_location = mbox:~/mail/:INBOX=/var/spool/mail/%u
mail_max_keyword_length = 150
mail_privileged_group = mail
mail_uid = mail
passdb {
  args = *
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
postmaster_address = postmaster at host.name
protocols = imap
service auth-worker {
  user = root
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  service_count = 1
  vsz_limit = 16 M
}
service imap {
  process_limit = 4
  vsz_limit = 64 M
}
ssl_cert = </etc/apache2/ssl/cert-file.pem
ssl_key = </etc/apache2/ssl/key-file.pem
userdb {
  driver = passwd
}
verbose_proctitle = yes
protocol lda {
  mail_plugins = sieve
}
protocol imap {
  imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
  imap_max_line_length = 64 k

-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

More information about the dovecot mailing list