Hi, we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is world readable - possible password exposure. This problem seems to be little more complicated than we thought. dovecot.conf can contain passphrase for ssl key, which is available for everyone since dovecot.conf has world readable permissions. (In CVE's description is note that it RHEL's/Fedora's problem, but it affects all systems imo) We was thinking about few ways how to fix it: 1) 0640 permissions for dovecot.conf - but it can became not readable for dovecot 2) 0640 root:mail and set deliver to group mail with sgid - possible security problem 3) don't store passphrase in dovecot.conf, just ask for it when dovecot's started - can hang boot process, not good As part of investigating, I've found dovecot is storing all variables in environment variables - it means even passphrase? I'm not completely sure, but all variables can be read via /proc/<pid>/environ (I don't know if it becomes readable in some circumstances.) Is there any plan to solve this problem? Cheers, Michal
Hello, Michal Hlavinka wrote (13 Nov 2008 11:03:48 GMT) :> we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is world readable - > possible password exposure.> This problem seems to be little more complicated than we thought.> dovecot.conf can contain passphrase for ssl key, which is available for everyone > since dovecot.conf has world readable permissions.> (In CVE's description is note that it RHEL's/Fedora's problem, but it affects all > systems imo)> We was thinking about few ways how to fix it: > 1) 0640 permissions for dovecot.conf - but it can became not readable for dovecotFile-system ACL's are usually my preferred solution for this class of problems (i.e. set 0640 permissions, and add read access for the dovecot user via ACL's). But it may not be applicable from a distribution point of view, since it's hard to guarantee that the file-system where /etc lives is mounted with ACL's enabled, or even supports them. It may be a good long-term idea for distributions to migrate installed systems to ACL-enabled root file-systems, and to enable them by default on new installs. Once it's done, this whole class of problems will find a natural and easily applicable solution. Bye, -- intrigeri <intrigeri at boum.org> | gnupg key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | Do not be trapped by the need to achieve anything. | This way, you achieve everything.
On Nov 13, 2008, at 1:03 PM, Michal Hlavinka wrote:> Hi, > > we're trying to solve CVE-2008-4870 = rhbz#436287 = dovecot.conf is > world readable - possible password exposure. > > This problem seems to be little more complicated than we thought. > > dovecot.conf can contain passphrase for ssl key, which is available > for everyone since dovecot.conf has world readable permissions.Maybe a new separate dovecot-secret.conf? When Dovecot starts up it first reads dovecot.conf and after that dovecot-secret.conf. deliver wouldn't read dovecot-secret.conf at all. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20081113/8c309dae/attachment-0002.bin>
Possibly Parallel Threads
- fts_squat + virtual => crash
- Acceptable version mismatch between syslinux 6.0N's MBR/ldlinux.sys and *.c32?
- Syncing several emails accounts with offlineimap and dovecot
- Acceptable version mismatch between syslinux 6.0N's MBR/ldlinux.sys and *.c32?
- ACL plugin: Is CVE-2008-4578 going to be fixed in 1.0 branch?