Bug 452088 - deliver broken by removal of world read permissions from dovecot.conf
deliver broken by removal of world read permissions from dovecot.conf
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dovecot (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Dan Horák
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-19 05:15 EDT by Tom Hughes
Modified: 2008-07-26 02:06 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.0.15-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-01 01:26:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Hughes 2008-06-19 05:15:02 EDT
Description of problem:

Previous versions of dovecot have had dovecot.conf as a world readable file. The
world read permission has been removed in the current version.

This means that the deliver program from the dovecot package no longer works
unless it is run as root, which any sensibly configured MTA would not want to do
for obvious security reasons.

Version-Release number of selected component (if applicable):

dovecot-1.0.14-8.fc9

How reproducible:

Totally.

Steps to Reproduce:
1. Upgrade dovecot to latest version
2. Run /usr/libexec/dovecot/deliver as a non-root user
  
Actual results:

Fatal: open(/etc/dovecot.conf) failed: Permission denied

Expected results:

Mail is delivered into the specified folder.

Additional info:

My current workaround is to change the ownership of dovecot.conf to dovecot:mail
which works as my MTA configuration runs deliver as group mail.
Comment 1 Dan Horák 2008-06-19 06:08:01 EDT
The permission change was done as a reaction on bug #445200. But you are right
that using dovecot:mail as ownership and 0640 as permissions would be more
appropriate. Leaving a file with certificate password world readable is not
good, so requiring deliver to be run with group = mail is a good compromise, I
think.
Comment 2 Fedora Update System 2008-06-22 12:33:52 EDT
dovecot-1.0.15-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-06-22 12:34:46 EDT
dovecot-1.0.15-1.fc9 has been submitted as an update for Fedora 9
Comment 4 Fedora Update System 2008-06-24 22:50:13 EDT
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dovecot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5642
Comment 5 Fedora Update System 2008-07-01 01:26:25 EDT
dovecot-1.0.15-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-07-01 01:28:10 EDT
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Jordan Russell 2008-07-04 01:46:33 EDT
(In reply to comment #1)
> using dovecot:mail as ownership and 0640 as permissions would be more
> appropriate.

Seriously bad idea. This needs to be reverted.

Now, if an attacker gains control over one of the unprivileged login processes
running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some
creative modifications there (perhaps a custom auth_executable setting), he can
run arbitrary commands as root.

http://wiki.dovecot.org/UserIds
"dovecot user is used internally for processing users' logins. It shouldn't have
access to any files or anything else either."
Comment 8 Dan Horák 2008-07-04 02:12:01 EDT
The only combination that remains is to set ownership to root:mail(In reply to
comment #7)
> (In reply to comment #1)
> > using dovecot:mail as ownership and 0640 as permissions would be more
> > appropriate.
> 
> Seriously bad idea. This needs to be reverted.
> 
> Now, if an attacker gains control over one of the unprivileged login processes
> running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some
> creative modifications there (perhaps a custom auth_executable setting), he can
> run arbitrary commands as root.
> 
> http://wiki.dovecot.org/UserIds
> "dovecot user is used internally for processing users' logins. It shouldn't have
> access to any files or anything else either."

The only combination that remains is to set ownership to root:mail. But
reverting the whole permission/ownership change that was done for bug #445200 is
a bad idea too. What do you think?
Comment 9 Jordan Russell 2008-07-16 16:20:46 EDT
I'm not really sure what (if anything) should be done about that problem... I'd
check with the Dovecot developer.
Comment 10 Fedora Update System 2008-07-26 02:06:11 EDT
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.