Red Hat Bugzilla – Bug 445200
dovecot.conf is world readable - possible password exposure
Last modified: 2008-06-06 07:23:12 EDT
+++ This bug was initially created as a clone of Bug #436287 +++
Description of problem:
The file dovecot.conf is world readable by default. This poses a potential
security issue if the ssl_key_password parameter is set. Any local user would be
able to view the password used to protect the SSL key file. The dovecot.conf
file does not need to be world readable, dovecot functions perfectly well with
/etc/dovecot.conf not being world readable. Changing the default permissions of
dovecot.conf to -rw-r---- (0640) would prevent this issue and has no impact on
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install dovecot
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
dovecot-1.0.14-7.fc9 has been submitted as an update for Fedora 9
dovecot-1.0.14-7.fc8 has been submitted as an update for Fedora 8
So now that this is fixed in Fedora any plans for Enterprise?
It should be fixed in the next batch update for RHEL5 (5.3) along with other
bugs reported for dovecot.