Aymeric Agon-Rambosson
2023-Mar-14 22:45 UTC
Postfix : root and system user authentication
Hello everyone,>From what I understand of the documentation, it is impossible tolog in to the dovecot server as root, or as any user not in the interval between first_valid_uid and last_valid_uid. I have been able to verify this. However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL according to the configuration described at https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/, we can indeed log in as root on the postfix server. Proof (/var/log/mail.log with auth=debug) : Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=<redacted>#011rip=<redacted>#011secured#011resp=<hidden> Mar 13 20:16:37 ricorambo dovecot: auth: Debug: pam(root,<redacted>): Performing passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): Server accepted connection (fd=13) Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): Sending version handshake Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: Handling PASSV request Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): Performing passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): lookup service=dovecot Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): #1/1 style=1 msg=Password: Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: pam(root,<redacted>): Finished passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth-worker(136499): Debug: conn unix:auth-worker (pid=136444,uid=111): auth-worker<1>: Finished Mar 13 20:16:37 ricorambo dovecot: auth: Debug: pam(root,<redacted>): Finished passdb lookup Mar 13 20:16:37 ricorambo dovecot: auth: Debug: auth(root,<redacted>): Auth request finished Mar 13 20:16:37 ricorambo dovecot: auth: Debug: client passdb out: OK#0111#011user=root#011 At this moment, the smtps client connecting to postfix produces "Authentication successful" and we can continue. In contrast, when we try to login to dovecot directly as root, we have the following : Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured=tls#011session=<redacted>#011lip=<redacted>#011rip=<redacted>#011lport=993#011rport=52004#011local_name=mail.ricorambo.su#011resp=<hidden> Mar 13 20:28:38 ricorambo dovecot: auth: Debug: pam(root,<redacted>,<redacted>): Performing passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): Server accepted connection (fd=13) Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): Sending version handshake Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: Handling PASSV request Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): Performing passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): lookup service=dovecot Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): #1/1 style=1 msg=Password: Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: pam(root,<redacted>,<redacted>): Finished passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<1>: Finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: pam(root,<redacted>,<eU8pHs32JMuE40wF>): Finished passdb lookup Mar 13 20:28:38 ricorambo dovecot: auth: Debug: auth(root,<redacted>,<eU8pHs32JMuE40wF>): Auth request finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: client passdb out: OK#0111#011user=root#011#011original_user=root at ricorambo.su Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master in: REQUEST#<redacted> Mar 13 20:28:38 ricorambo dovecot: auth: Debug: passwd(root,<redacted>,<redacted>): Performing userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: Handling USER request Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): Performing userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: passwd(root,<redacted>,<redacted>): Finished userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth-worker(137089): Debug: conn unix:auth-worker (pid=137079,uid=111): auth-worker<2>: Finished Mar 13 20:28:38 ricorambo dovecot: auth: Debug: passwd(root,<redacted>,<redacted>): Finished userdb lookup Mar 13 20:28:38 ricorambo dovecot: auth: Debug: master userdb out: USER#<redacted> Mar 13 20:28:38 ricorambo dovecot: imap-login: Login: user=<root>, method=PLAIN, rip=<redacted>, lip=192.168.1.22, mpid=137090, TLS, session=<redacted> Mar 13 20:28:38 ricorambo dovecot: imap(root): Error: Invalid settings in userdb: userdb returned 0 as uid Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event 0xaaab0e9db2a0 leaked (parent=0xaaab0e9cdc80): mail-storage-service.c:1336 Mar 13 20:28:38 ricorambo dovecot: imap(root): Warning: Event 0xaaab0e9cdc80 leaked (parent=(nil)): main.c:246 At this moment, the imap client produces "Internal server error" and finishes. Steps to reproduce : - Delegate SASL authentication from postfix to dovecot as such : /etc/postfix/master.cf smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth and of course : /etc/dovecot/conf.d/10-master.conf unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } - login to your server, port 465, with a client like openssl : openssl s_client -connect mail.example.org:465 EHLO whateveryouwant AUTH PLAIN \0root\0password (in base 64, ofc) You should be able to login, and produce the first log trace I have included. My question is, is this a feature or a bug ? The hardcoded impossibility to login as root to dovecot, and the honouring of the variables {first,last}_valid_{u,g}id, are those specific to login to dovecot directly, or should they be applicable to any other process that has delegated its authentication to dovecot ? If this is a feature, that is if postfix cannot profit from the variables {first,last}_valid_{u,g}id (or the hardcoded forbidding of root) through dovecot sasl : - This should maybe made more obvious somewhere in the documentation. - What would be the good way to prevent root login to postfix, when authentication is delegated to dovecot ? The dovecot version is 2.3.13 (89f716dc2) The system is the following : Linux 5.10.0-21-arm64 #1 SMP Debian 5.10.162-1 (2023-01-21) aarch64 GNU/Linux Thank you in advance for your time. I have included the output of dovecot -n for reference. Best regards, Aymeric -------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-report.conf Type: application/octet-stream Size: 8302 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20230314/e7f4d248/attachment.obj>
> However, when we have a postfix server on the same machine, that delegates authentication to dovecot SASL ... we can indeed log in as root on the postfix server.You are not logging into Dovecot with root, you are connecting to Postfix for submission. When you connect to dovecot using linux users (PAM) the process running takes on the UID of the login user to give file permissions to read that users home directory where email could be stored. The risk being if someone had root UID:0 they could read anything on the server, not just the home directory of a user. But you aren't logging into Dovecot, you are connecting to Postfix. You aren't checking mail or reading directories. You are only submitting an email to Postfix for submission services. Postfix runs as its own Postfix UID no matter who you authenticate as. So even though you are authenticating yourself with root credentials, you aren't doing so as the root UID, you aren't reading email, and you aren't accessing any file systems like Dovecot would be.
On Wed, Mar 15, 2023 at 1:46?AM Aymeric Agon-Rambosson < aymeric.agon at yandex.com> wrote:> > Hello everyone, > > From what I understand of the documentation, it is impossible to > log in to the dovecot server as root, or as any user not in the > interval between first_valid_uid and last_valid_uid. >https://doc.dovecot.org/configuration_manual/authentication/master_users/ -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ?\_(?)_/? :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20230315/9f0c50d5/attachment.htm>
Possibly Parallel Threads
- "auth_cache_verify_password_with_worker = yes" does not work with proxy
- Postfix : root and system user authentication
- User doesn't exist
- Bug: Dovecot appending "MISSING_DOMAIN" to fetch envelope responses
- Bug: Dovecot appending "MISSING_DOMAIN" to fetch envelope responses