Bug 445200 - dovecot.conf is world readable - possible password exposure
dovecot.conf is world readable - possible password exposure
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Dan Horák
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-05 09:38 EDT by Dan Horák
Modified: 2008-06-06 07:23 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.0.13-8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-29 04:39:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan Horák 2008-05-05 09:38:54 EDT
+++ This bug was initially created as a clone of Bug #436287 +++

Description of problem:

The file dovecot.conf is world readable by default. This poses a potential
security issue if the ssl_key_password parameter is set. Any local user would be
able to view the password used to protect the SSL key file. The dovecot.conf
file does not need to be world readable, dovecot functions perfectly well with
/etc/dovecot.conf not being world readable. Changing the default permissions of
dovecot.conf to -rw-r---- (0640) would prevent this issue and has no impact on
system functionality.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. install dovecot
Actual results:

Expected results:

Additional info:
Comment 1 Bug Zapper 2008-05-14 06:39:38 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 2 Fedora Update System 2008-06-06 05:11:15 EDT
dovecot-1.0.14-7.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-06-06 05:13:12 EDT
dovecot-1.0.14-7.fc8 has been submitted as an update for Fedora 8
Comment 4 Kurt Seifried 2008-06-06 05:55:04 EDT
So now that this is fixed in Fedora any plans for Enterprise?
Comment 5 Dan Horák 2008-06-06 07:23:12 EDT
It should be fixed in the next batch update for RHEL5 (5.3) along with other
bugs reported for dovecot.

Note You need to log in before you can comment on or make changes to this bug.