[Dovecot] imapc vs auth-userdb security
Lutz Preßler
Lutz.Pressler at SerNet.DE
Wed Sep 14 14:57:00 EEST 2011
On Mi, 14 Sep 2011, Timo Sirainen wrote:
> On 14.9.2011, at 14.40, Lutz Preßler wrote:
>
> > with imapc settings coming from userdb (individual configuration necessary)
> > there exists a security problem if access to auth-userdb socket is given
> > to normal (shell) users:
>
> So don't give it to them? :) Actually this should be pretty much solved with v2.1 defaults. If the auth-userdb socket is 0666 root:root (default now), it requires that the calling process either has root user/group privileges or its uid matches the one returned by userdb, otherwise it won't return any fields.
I had to change that because of shared mailboxes and usage of %%h.
Maybe one could return only home if uid does not match?
Lutz
More information about the dovecot
mailing list