[Dovecot] Encryption solution for messages at rest

Reindl Harald h.reindl at thelounge.net
Mon Oct 28 22:10:32 EET 2013



Am 28.10.2013 20:49, schrieb Michael Orlitzky:
> On 10/28/2013 03:14 PM, Douglas Mortensen wrote:
>> If a customer has vulnerable PHP code on a website, some of these
>> will allow a remote file upload. I have seen cases where they upload
>> a PHP script that is a sort of web-based console/shell to the server
>> (file-system, etc.). It provides several tools which all run through
>> the uploaded PHP script to try to brute force and do other attacks.
>> I've seen attempts at a root exploit. We've never had a root exploit
>> and any such case of a customer's site being hacked has been easily
>> contained by simple filesystem permissions being correct (and the
>> fact that we have apache setup to run all scripts as the user who is
>> the owner of the script files, which confines the script to that
>> users' permissions). Still nobody loves the idea of bad guys trying
>> to hack on your box.
> 
> If an attacker gets root, the entire exercise is pointless, because he
> can get the decryption key. So you "don't have to worry" about that case =)
> 
> A suggestion, not dovecot-related:
> 
> The web users -- in our case, www.example.com -- shouldn't have access
> to anything outside of the web root. You can achieve this within PHP by
> placing everything that the website will need under one directory, and
> setting (in apache):
> 
>   php_admin_value open_basedir /var/www/$domain/$host/
>   php_admin_value upload_tmp_dir /var/www/$domain/$host/tmp
>   php_admin_value session.save_path /var/www/$domain/$host/tmp
>   php_admin_value sys_temp_dir /var/www/$domain/$host/tmp

oh no - do *not* place the sesiondata anywhere inside open_basdir
this is one of the badest things you can do because any otherwise
harmless script bypassed whatever security restriction will
be able to read *any* session data

but hey, also PHP upstream a few years ago had no clue about session-security

https://bugs.php.net/bug.php?id=42077

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131028/1f84b58c/attachment.bin>


More information about the dovecot mailing list