dovecot - Oct 2017 - secure setup for imap hibernation

Hi.

What's the approach for securely enabling imap hibernation in case when each
user uses different uid and gid?

Looks like none and 0666 on hibernation and imap master sockets is the only 
way?

Thanks,
-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )

On 27.10.2017 11:20, Arkadiusz Mi?kiewicz wrote:
> Hi.
>
> What's the approach for securely enabling imap hibernation in case when
each
> user uses different uid and gid?
>
> Looks like none and 0666 on hibernation and imap master sockets is the only
> way?
>
> Thanks,
That's the only way, yes. Hibernation keeps all connections in same process.

Aki

On Friday 27 of October 2017, Aki Tuomi wrote:
> On 27.10.2017 11:20, Arkadiusz Mi?kiewicz wrote:
> > Hi.
> > 
> > What's the approach for securely enabling imap hibernation in case
when
> > each user uses different uid and gid?
> > 
> > Looks like none and 0666 on hibernation and imap master sockets is the
> > only way?
> > 
> > Thanks,
> 
> That's the only way, yes. Hibernation keeps all connections in same
> process.
Couldn't dovecot do setgroups(2) to add additional common group to 
imap/hibernation processes and rely on that for access to sockets (sockets 
would be root:thatgroup 0660) thus making it a bit more secure?

Non mail related uids/gids wouldn't have access to sockets that way.
> Aki
-- 
Arkadiusz Mi?kiewicz, arekm / ( maven.pl | pld-linux.org )