Running dovecot 1.2.4 on FreeBSD using Postfix. Everything works fine
normally, but deliver is executable by world.
This is not normally a problem, as I don't run deliver SetUID root.
But for whatever reason, when deliver is called by something that IS
SetUID root I get the following error:
/usr/local/libexec/dovecot/deliver must not be both world-executable
and setuid-root. This allows root exploits. See
http://wiki.dovecot.org/LDA#multipleuids
Deliver's permissions look like this:
-r-xr-xr-x
While the program calling deliver has permissions like this:
-r-s--x---
If it isn't possible for deliver to differentiate between being called
by setuid root programs and being setuid root itself I don't think it
should be doing that particular security check. Alternatively, there
should be an option to turn that particular check off, but what little
I saw of the source code and found searching the documentation told me
that there doesn't seem to be such an option already.
I also couldn't find any mention that this is fixed by 1.2.5 or 1.2.6.
Thomas Berezansky
Merrimack Valley Library Consortium