[Dovecot] valid_chroot_dirs question
Hello,
I've got a dovecot setup using PAM and real system users. In this setup I also use pure-ftpd to give local users ftp access to their $HOMEs. To have pure-ftpd chroot into the user home i replaced /home/user with /home/user/./ in /etc/passwd. Unfortunately this breaks Dovecot this way:
Oct 23 18:18:20 localhost dovecot: Invalid chroot directory '/home/foo' (user foo) (see valid_chroot_dirs in config file)
and dovecot.conf says
':' separated list of directories under which chrooting is allowed for
processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar
too).
This setting doesn't affect login_chroot or auth_chroot variables.
WARNING: Never add directories here which local users can modify, that
may lead to root exploit. Usually this should be done only if you
don't
allow shell access for users. See doc/configuration.txt for more
information. #valid_chroot_dirs =
Now if I set
valid_chroot_dirs = /home
everything works, but the WARNING pretty much scares me since user foo HAS shell access. Is this safe? Is there a way to avoid this? Why I can't chroot to /home/foo/./ if I can to /home/foo ?
I'm on 1.0rc10
thanks
On Mon, 2006-10-23 at 18:32 +0200, Luca Corti wrote:
':' separated list of directories under which chrooting is allowed for
processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar
too).
This setting doesn't affect login_chroot or auth_chroot variables.
WARNING: Never add directories here which local users can modify, that
may lead to root exploit. Usually this should be done only if you
don't
allow shell access for users. See doc/configuration.txt for more
information. #valid_chroot_dirs =
Now if I set
valid_chroot_dirs = /home
everything works, but the WARNING pretty much scares me since user foo HAS shell access. Is this safe? Is there a way to avoid this? Why I can't chroot to /home/foo/./ if I can to /home/foo ?
Well, the warning is perhaps a bit too cautious. As long as
- Dovecot has no security holes
- You're not giving users the possibility to run all kinds of system commands via IMAP (can't see a reason to do that..)
there shouldn't be any problems.
Also if the /home partition is mounted with nosuid option it's always safe.
The problem is that a user can hardlink a setuid binary (eg. /bin/su) inside the chroot and create his own lib/libc.so. After that it's only needed to be executed inside chroot.
participants (2)
-
Luca Corti
-
Timo Sirainen