On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot at dovecot.org> wrote:> > > > Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot: >> service lmtp { >> user = vmail >> } >> >> please remove user = vmail from here or change it to root. >> >> for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialisation but it needs to open /self/proc/io as root before that. > > Hello Sami, > > I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. > Could you proof that statement somehow?Alternative is: service lmtp { user = vmail drop_priv_before_exec = yes } I'm not sure if you run into other problems with that.
On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote:> On 31 Jul 2019, at 20.45, A. Schulze via dovecot <dovecot at dovecot.org> wrote: >> >> >> >> Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot: >>> service lmtp { >>> user = vmail >>> } >>> >>> please remove user = vmail from here or change it to root. >>> >>> for security reasons lmtp service must be started as root since version 2.2.36. lmtp will drop root privileges after initialization but it needs to open /self/proc/io as root before that. >> >> Hello Sami, >> >> I don't read "root is required for lmtp" in https://wiki.dovecot.org/LMTP#Security neither does https://dovecot.org/doc/NEWS-2.2 say so. >> Could you proof that statement somehow? > > > Alternative is: > > service lmtp { > user = vmail > drop_priv_before_exec = yes > } > > I'm not sure if you run into other problems with that.OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it says "If you're using only a single global UID/GID, you can improve security by running lmtp processes as that user" So, if I am using a single UID/GID, then is the above wiki article correct or do I need to change my config? Regards, -- Tom me at tdiehl.org
On 6.8.2019 4.20, Tom Diehl via dovecot wrote:> On Thu, 1 Aug 2019, Timo Sirainen via dovecot wrote: > >> On 31 Jul 2019, at 20.45, A. Schulze via dovecot >> <dovecot at dovecot.org> wrote: >>> >>> >>> >>> Am 31.07.19 um 08:27 schrieb Sami Ketola via dovecot: >>>> service lmtp { >>>> user = vmail >>>> } >>>> >>>> please remove user = vmail from here or change it to root. >>>> >>>> for security reasons lmtp service must be started as root since >>>> version 2.2.36. lmtp will drop root privileges after initialization >>>> but it needs to open /self/proc/io as root before that. >>> >>> Hello Sami, >>> >>> I don't read "root is required for lmtp" in >>> https://wiki.dovecot.org/LMTP#Security neither does >>> https://dovecot.org/doc/NEWS-2.2 say so. >>> Could you proof that statement somehow? >> >> >> Alternative is: >> >> service lmtp { >> ?user = vmail >> ?drop_priv_before_exec = yes >> } >> >> I'm not sure if you run into other problems with that. > > OK, so now I am confused. At https://wiki.dovecot.org/LMTP#Security it > says > "If you're using only a single global UID/GID, you can improve > security by > running lmtp processes as that user" > > So, if I am using a single UID/GID, then is the above wiki article > correct or > do I need to change my config? > > Regards, >This file is used for stats gathering, so if you are not using stats, it's not a huge problem. You can probably also use import_environment = PR_SET_DUMPABLE=1 to get rid of the warning. Although this makes your process less secure as it can be ptrace'd. Aki