Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452088 - deliver broken by removal of world read permissions from dovecot.conf
Summary: deliver broken by removal of world read permissions from dovecot.conf
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dovecot
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Dan Horák
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-19 09:15 UTC by Tom Hughes
Modified: 2008-07-26 06:06 UTC (History)
1 user (show)

Fixed In Version: 1.0.15-1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-01 05:26:28 UTC


Attachments (Terms of Use)

Description Tom Hughes 2008-06-19 09:15:02 UTC
Description of problem:

Previous versions of dovecot have had dovecot.conf as a world readable file. The
world read permission has been removed in the current version.

This means that the deliver program from the dovecot package no longer works
unless it is run as root, which any sensibly configured MTA would not want to do
for obvious security reasons.

Version-Release number of selected component (if applicable):

dovecot-1.0.14-8.fc9

How reproducible:

Totally.

Steps to Reproduce:
1. Upgrade dovecot to latest version
2. Run /usr/libexec/dovecot/deliver as a non-root user
  
Actual results:

Fatal: open(/etc/dovecot.conf) failed: Permission denied

Expected results:

Mail is delivered into the specified folder.

Additional info:

My current workaround is to change the ownership of dovecot.conf to dovecot:mail
which works as my MTA configuration runs deliver as group mail.

Comment 1 Dan Horák 2008-06-19 10:08:01 UTC
The permission change was done as a reaction on bug #445200. But you are right
that using dovecot:mail as ownership and 0640 as permissions would be more
appropriate. Leaving a file with certificate password world readable is not
good, so requiring deliver to be run with group = mail is a good compromise, I
think.

Comment 2 Fedora Update System 2008-06-22 16:33:52 UTC
dovecot-1.0.15-1.fc8 has been submitted as an update for Fedora 8

Comment 3 Fedora Update System 2008-06-22 16:34:46 UTC
dovecot-1.0.15-1.fc9 has been submitted as an update for Fedora 9

Comment 4 Fedora Update System 2008-06-25 02:50:13 UTC
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dovecot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5642

Comment 5 Fedora Update System 2008-07-01 05:26:25 UTC
dovecot-1.0.15-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2008-07-01 05:28:10 UTC
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Jordan Russell 2008-07-04 05:46:33 UTC
(In reply to comment #1)
> using dovecot:mail as ownership and 0640 as permissions would be more
> appropriate.

Seriously bad idea. This needs to be reverted.

Now, if an attacker gains control over one of the unprivileged login processes
running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some
creative modifications there (perhaps a custom auth_executable setting), he can
run arbitrary commands as root.

http://wiki.dovecot.org/UserIds
"dovecot user is used internally for processing users' logins. It shouldn't have
access to any files or anything else either."

Comment 8 Dan Horák 2008-07-04 06:12:01 UTC
The only combination that remains is to set ownership to root:mail(In reply to
comment #7)
> (In reply to comment #1)
> > using dovecot:mail as ownership and 0640 as permissions would be more
> > appropriate.
> 
> Seriously bad idea. This needs to be reverted.
> 
> Now, if an attacker gains control over one of the unprivileged login processes
> running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some
> creative modifications there (perhaps a custom auth_executable setting), he can
> run arbitrary commands as root.
> 
> http://wiki.dovecot.org/UserIds
> "dovecot user is used internally for processing users' logins. It shouldn't have
> access to any files or anything else either."

The only combination that remains is to set ownership to root:mail. But
reverting the whole permission/ownership change that was done for bug #445200 is
a bad idea too. What do you think?

Comment 9 Jordan Russell 2008-07-16 20:20:46 UTC
I'm not really sure what (if anything) should be done about that problem... I'd
check with the Dovecot developer.

Comment 10 Fedora Update System 2008-07-26 06:06:11 UTC
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.