Denis Khromov
2009-Dec-29 09:04 UTC
[Dovecot] Deliver EX_TEMPFAIL's without giving any information
Hi all. I've had a hard time trying to find out why deliver isn't working after I've updated dovecot from v1.11 to v1.2.8. It just gave me EX_TEMPFAIL without any info in the logs. My deliver was setuid-root. Once I've made a simple shell wrapper script for the deliver executable which saves deliver's stdout+stderr, I've found the reason: /usr/local/libexec/dovecot/deliver must not be both world-executable and setuid-root. This allows root exploits. See http://wiki.dovecot.org/LDA#multipleuids Did a 'chmod o-x deliver' and fixed groups/owners and now everything works as it should. I think this error message should go to log files, not just to stdout/stderr. And it's worth to describe this behaviour in the Wiki. Cheers, Denis
Timo Sirainen
2009-Dec-29 21:25 UTC
[Dovecot] Deliver EX_TEMPFAIL's without giving any information
On Tue, 2009-12-29 at 15:04 +0600, Denis Khromov wrote:> /usr/local/libexec/dovecot/deliver must not be both world-executable > and setuid-root. This allows root exploits. See > http://wiki.dovecot.org/LDA#multipleuids..> I think this error message should go to log files, not just to > stdout/stderr.But that could be too late.. Someone could create a mydovecot.conf that says log_path = /etc/passwd and run deliver -c mydovecot.conf and mess up the passwd file by having it log the above message to it, or something similar to that. What could be possible is to also log it to syslog, but not everyone is using syslog and with the default mail facility. Seems like that could also cause trouble.> And it's worth to describe this behaviour in the Wiki.Well, it only affects those people who upgrade from old version and actually have deliver set up as setuid-root. I don't think there are that many of those left. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091229/a9680e50/attachment-0002.bin>