secure setup for imap hibernation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

secure setup for imap hibernation

Arkadiusz Miśkiewicz

Hi.

What's the approach for securely enabling imap hibernation in case when each
user uses different uid and gid?

Looks like none and 0666 on hibernation and imap master sockets is the only
way?

Thanks,
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Reply | Threaded
Open this post in threaded view
|

Re: secure setup for imap hibernation

Aki Tuomi-2


On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
> Hi.
>
> What's the approach for securely enabling imap hibernation in case when each
> user uses different uid and gid?
>
> Looks like none and 0666 on hibernation and imap master sockets is the only
> way?
>
> Thanks,

That's the only way, yes. Hibernation keeps all connections in same process.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: secure setup for imap hibernation

Arkadiusz Miśkiewicz
On Friday 27 of October 2017, Aki Tuomi wrote:

> On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
> > Hi.
> >
> > What's the approach for securely enabling imap hibernation in case when
> > each user uses different uid and gid?
> >
> > Looks like none and 0666 on hibernation and imap master sockets is the
> > only way?
> >
> > Thanks,
>
> That's the only way, yes. Hibernation keeps all connections in same
> process.

Couldn't dovecot do setgroups(2) to add additional common group to
imap/hibernation processes and rely on that for access to sockets (sockets
would be root:thatgroup 0660) thus making it a bit more secure?

Non mail related uids/gids wouldn't have access to sockets that way.

> Aki

--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Reply | Threaded
Open this post in threaded view
|

Re: secure setup for imap hibernation

Aki Tuomi-2


On 27.10.2017 12:32, Arkadiusz Miśkiewicz wrote:

> On Friday 27 of October 2017, Aki Tuomi wrote:
>> On 27.10.2017 11:20, Arkadiusz Miśkiewicz wrote:
>>> Hi.
>>>
>>> What's the approach for securely enabling imap hibernation in case when
>>> each user uses different uid and gid?
>>>
>>> Looks like none and 0666 on hibernation and imap master sockets is the
>>> only way?
>>>
>>> Thanks,
>> That's the only way, yes. Hibernation keeps all connections in same
>> process.
> Couldn't dovecot do setgroups(2) to add additional common group to
> imap/hibernation processes and rely on that for access to sockets (sockets
> would be root:thatgroup 0660) thus making it a bit more secure?
>
> Non mail related uids/gids wouldn't have access to sockets that way.
>
>> Aki

It could. But at the moment it's not, pull request to do this is always
welcome. It would also need some way to choose correct socket.

Aki