Bug 445200

Summary: dovecot.conf is world readable - possible password exposure
Product: [Fedora] Fedora Reporter: Dan Horák <dan>
Component: dovecotAssignee: Dan Horák <dan>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: kurt
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.0.13-8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-29 08:39:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Horák 2008-05-05 13:38:54 UTC 
+++ This bug was initially created as a clone of Bug #436287 +++

Description of problem:

The file dovecot.conf is world readable by default. This poses a potential
security issue if the ssl_key_password parameter is set. Any local user would be
able to view the password used to protect the SSL key file. The dovecot.conf
file does not need to be world readable, dovecot functions perfectly well with
/etc/dovecot.conf not being world readable. Changing the default permissions of
dovecot.conf to -rw-r---- (0640) would prevent this issue and has no impact on
system functionality.


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. install dovecot
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Bug Zapper 2008-05-14 10:39:38 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Fedora Update System 2008-06-06 09:11:15 UTC 
dovecot-1.0.14-7.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-06-06 09:13:12 UTC 
dovecot-1.0.14-7.fc8 has been submitted as an update for Fedora 8
Comment 4 Kurt Seifried 2008-06-06 09:55:04 UTC 
So now that this is fixed in Fedora any plans for Enterprise?
Comment 5 Dan Horák 2008-06-06 11:23:12 UTC 
It should be fixed in the next batch update for RHEL5 (5.3) along with other
bugs reported for dovecot.