445200 – dovecot.conf is world readable - possible password exposure

Bug 445200 - dovecot.conf is world readable - possible password exposure

Summary: dovecot.conf is world readable - possible password exposure

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dovecot
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Dan Horák
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-05 13:38 UTC by Dan Horák
Modified:	2008-06-06 11:23 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.0.13-8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-29 08:39:15 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dan Horák 2008-05-05 13:38:54 UTC

+++ This bug was initially created as a clone of Bug #436287 +++

Description of problem:

The file dovecot.conf is world readable by default. This poses a potential
security issue if the ssl_key_password parameter is set. Any local user would be
able to view the password used to protect the SSL key file. The dovecot.conf
file does not need to be world readable, dovecot functions perfectly well with
/etc/dovecot.conf not being world readable. Changing the default permissions of
dovecot.conf to -rw-r---- (0640) would prevent this issue and has no impact on
system functionality.


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. install dovecot
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Bug Zapper 2008-05-14 10:39:38 UTC

Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Fedora Update System 2008-06-06 09:11:15 UTC

dovecot-1.0.14-7.fc9 has been submitted as an update for Fedora 9

Comment 3 Fedora Update System 2008-06-06 09:13:12 UTC

dovecot-1.0.14-7.fc8 has been submitted as an update for Fedora 8

Comment 4 Kurt Seifried 2008-06-06 09:55:04 UTC

So now that this is fixed in Fedora any plans for Enterprise?

Comment 5 Dan Horák 2008-06-06 11:23:12 UTC

It should be fixed in the next batch update for RHEL5 (5.3) along with other
bugs reported for dovecot.

Note You need to log in before you can comment on or make changes to this bug.