Description of problem: Previous versions of dovecot have had dovecot.conf as a world readable file. The world read permission has been removed in the current version. This means that the deliver program from the dovecot package no longer works unless it is run as root, which any sensibly configured MTA would not want to do for obvious security reasons. Version-Release number of selected component (if applicable): dovecot-1.0.14-8.fc9 How reproducible: Totally. Steps to Reproduce: 1. Upgrade dovecot to latest version 2. Run /usr/libexec/dovecot/deliver as a non-root user Actual results: Fatal: open(/etc/dovecot.conf) failed: Permission denied Expected results: Mail is delivered into the specified folder. Additional info: My current workaround is to change the ownership of dovecot.conf to dovecot:mail which works as my MTA configuration runs deliver as group mail.
The permission change was done as a reaction on bug #445200. But you are right that using dovecot:mail as ownership and 0640 as permissions would be more appropriate. Leaving a file with certificate password world readable is not good, so requiring deliver to be run with group = mail is a good compromise, I think.
dovecot-1.0.15-1.fc8 has been submitted as an update for Fedora 8
dovecot-1.0.15-1.fc9 has been submitted as an update for Fedora 9
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dovecot'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5642
dovecot-1.0.15-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
dovecot-1.0.15-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #1) > using dovecot:mail as ownership and 0640 as permissions would be more > appropriate. Seriously bad idea. This needs to be reverted. Now, if an attacker gains control over one of the unprivileged login processes running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some creative modifications there (perhaps a custom auth_executable setting), he can run arbitrary commands as root. http://wiki.dovecot.org/UserIds "dovecot user is used internally for processing users' logins. It shouldn't have access to any files or anything else either."
The only combination that remains is to set ownership to root:mail(In reply to comment #7) > (In reply to comment #1) > > using dovecot:mail as ownership and 0640 as permissions would be more > > appropriate. > > Seriously bad idea. This needs to be reverted. > > Now, if an attacker gains control over one of the unprivileged login processes > running as "dovecot", he has the ability to edit /etc/dovecot.conf. With some > creative modifications there (perhaps a custom auth_executable setting), he can > run arbitrary commands as root. > > http://wiki.dovecot.org/UserIds > "dovecot user is used internally for processing users' logins. It shouldn't have > access to any files or anything else either." The only combination that remains is to set ownership to root:mail. But reverting the whole permission/ownership change that was done for bug #445200 is a bad idea too. What do you think?
I'm not really sure what (if anything) should be done about that problem... I'd check with the Dovecot developer.