On Mon, 2006-10-23 at 18:32 +0200, Luca Corti wrote:> # ':' separated list of directories under which chrooting is
allowed for
> mail
> # processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar
> too).
> # This setting doesn't affect login_chroot or auth_chroot variables.
> # WARNING: Never add directories here which local users can modify, that
> # may lead to root exploit. Usually this should be done only if you
> don't
> # allow shell access for users. See doc/configuration.txt for more
> information.
> #valid_chroot_dirs =
>
> Now if I set
>
> valid_chroot_dirs = /home
>
> everything works, but the WARNING pretty much scares me since user foo
> HAS shell access. Is this safe? Is there a way to avoid this? Why I
> can't chroot to /home/foo/./ if I can to /home/foo ?
Well, the warning is perhaps a bit too cautious. As long as
1) Dovecot has no security holes
2) You're not giving users the possibility to run all kinds of system
commands via IMAP (can't see a reason to do that..)
there shouldn't be any problems.
Also if the /home partition is mounted with nosuid option it's always
safe.
The problem is that a user can hardlink a setuid binary (eg. /bin/su)
inside the chroot and create his own lib/libc.so. After that it's only
needed to be executed inside chroot.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://dovecot.org/pipermail/dovecot/attachments/20061102/d734592f/attachment.pgp