[Dovecot] Maildir owner importance
Timo Sirainen
tss at iki.fi
Wed Dec 29 17:17:39 EET 2004
On 29.12.2004, at 16:45, Peter Lacey wrote:
> On Dec 29, 2004, at 6:06 AM, Timo Sirainen wrote:
>
>> And there was talk about auth_user in this thread too. The most
>> important thing with it is that it must not be the same as login_user
>
> Okay, I didn't know this. So the imap-login process should run as
> user1 (not "root", typically "dovecot") and dovecot-auth should run as
> user2 (could be root, should be just privileged enough to access the
> auth_userdb and auth_passdb, which in the case of LDAP is anyone).
> Here's the question, why is it important that these two not be the
> same user?
Well, it solves more of a theoretical problem with not-so-great
importance, but Dovecot is full of that anyway :)
The point of the login processes is that they try to keep the rest of
the system safe even if attacker is able to run any code in them. This
is because they are chrooted into (almost) empty non-writable directory
and they run as user which has no privileges to do anything.
If you run dovecot-auth as the same user as the login process, the
attacker will at least be able to kill your auth process. Probably
nothing else though, since OS treats it as setuid process. But there
have before been many holes in OSes allowing access to setuid
processes..
And the reason why I'm expecting login processes to be the most
attacked process, is because it runs all the SSL code, and that's big
and complex and probably still has (or will have) some security holes
allowing arbitrary code execution..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20041229/ed0dc8a1/attachment-0001.bin>
More information about the dovecot
mailing list