Dovecot version 1.0rc15 for Fedora Core 4, tighter permissions for homes

6 posts / 0 new
Last post
#1 Mon, 02/26/2007 - 17:42
Joe
Joe's picture

Dovecot version 1.0rc15 for Fedora Core 4, tighter permissions for homes

Hi all, <p> A few days ago, I rolled out a new Dovecot package for CentOS/RHEL 4. That one went so well (loads of complains and bug reports within hours of release, but it only took a couple of updates throughout the day to fix it, so we'll call it a success), that I'm doing it again for the poor...ahem...lucky folks using Fedora Core 4. (If you have FC5 or FC6, then you don't need this update.) <p> Anyway, since this is a rehash of the same package roll-out from a few days ago, I'll just re-post the same blurb with minor alterations: <p> I've rolled out a somewhat experimental (but much needed) package of Dovecot version 1.0rc15 for Fedora Core 4 on i386 and x86_64. This upgrade fixes an irritating limitation of Dovecot 0.99, as provided by the OS software repositories. Specifically, older versions do not support group membership, and so the full path to each users home must be readable by world, if Maildir mail spools are being used (this applies to everyone with a default Virtualmin Professional installation). With the 1.0 version, this limitation no longer applies, and homes can default to 0750 permissions. <p> This update is recommended for everyone running Fedora Core version 4. It has been tested to behave correctly in every circumstance I could think of, and we've been running this version, and a couple of earlier versions, on Virtualmin.com for several weeks without incident. <p> Versions for other operating systems (excluding those systems that already have a recent version) will be rolled out over the next 24-36 hours. <p> To upgrade on Fedora: <p> yum update dovecot <p> Please note any errors, and let me know about them in the bug tracker. The expected behavior for systems with an old version of Dovecot is either no messages (other than the usual installation progress bar), or this notice: "Found old dovecot.conf, saved to /etc/dovecot.conf.rpmsave" if your dovecot.conf has ever been modified. If this message occurs, you may need to re-apply any changes you made to your Dovecot configuration. The Webmin Dovecot module supports both the old and new syntax, so you can use Webmin to make changes, if you like. <p> And now...the fun part! <p> Once you've updated your Dovecot version, you can setup Webmin to create new homes with 750 permissions. To do that, browse to Webmin's Users and Groups module in the System category. Click on the "Module Config" in the upper left corner of the right content panel. <p> In the "Home directory options" section, change "Permissions on new home directories" from 0755 to 0750. Save it. <p> Finally, change the permissions on your existing directories with: <p> cd /home chmod 750 * <p> All done! You're directories are now locked down tight as a drum, but you can still pickup your mail. <p> As always, if anything goes wrong, let us know. We'll help you fix it--anything that can go wrong during this process is pretty easy to fix, so don't panic. <p> <b>Known Issues</b> <p> There is a known issue with autoresponders once the permissions have been locked down. This is expected to be fixed in the next Virtualmin virtual-server module fix...if you use that functionality now, you may want to hold off for a few days on locking down the permissions.

Sun, 06/07/2009 - 07:01
Blueforce

Hi Joe,

I'll have to ask,
Is there somehing wrong or something configured wrong on our server. After updating Dovecot and set all permissions to 750 a user still can see all users within home, even if he can't browse in to another users folder. BUT if he clicks &quot;Up&quot; in folders he can go all the way to / on the server and also browse the major part of the server folders... doing whatever he wants?!

Is it supposed to be like this?? We all the time gets more users that want to use SFTP (FTP over SSH). And I'm getting more nervous for each user that I allow to log in with SFTP (FTP over SSH). I'm starting think that I have to switch to regular FTP that locks the user to ONLY access stuff in his own &quot;home&quot;.

I was using WS_FTP Pro when I tried this.

Regards,
Leif

Sun, 06/07/2009 - 07:01
Blueforce

Hi Joe,

I'll have to ask,
Is there somehing wrong or something configured wrong on our server. After updating Dovecot and set all permissions to 750 a user still can see all users within home, even if he can't browse in to another users folder. BUT if he clicks &quot;Up&quot; in folders he can go all the way to / on the server and also browse the major part of the server folders... doing whatever he wants?!

Is it supposed to be like this?? We all the time gets more users that want to use SFTP (FTP over SSH). And I'm getting more nervous for each user that I allow to log in with SFTP (FTP over SSH). I'm starting think that I have to switch to regular FTP that locks the user to ONLY access stuff in his own &quot;home&quot;.

I was using WS_FTP Pro when I tried this.

Regards,
Leif

Sun, 06/07/2009 - 07:01
Blueforce

Just me again!

The above also applies when using SSH(PuTTY)

Regards,
Leif

Sun, 06/07/2009 - 07:01
Blueforce

Hi Joe,

I'll have to ask,
Is there somehing wrong or something configured wrong on our server. After updating Dovecot and set all permissions to 750 a user still can see all users within home, even if he can't browse in to another users folder. BUT if he clicks &quot;Up&quot; in folders he can go all the way to / on the server and also browse the major part of the server folders... doing whatever he wants?!

Is it supposed to be like this?? We all the time gets more users that want to use SFTP (FTP over SSH). And I'm getting more nervous for each user that I allow to log in with SFTP (FTP over SSH). I'm starting think that I have to switch to regular FTP that locks the user to ONLY access stuff in his own &quot;home&quot;.

I was using WS_FTP Pro when I tried this.

Regards,
Leif

Sun, 06/07/2009 - 07:01
Joe
Joe's picture

Hey Leif,

<i>BUT if he clicks &quot;Up&quot; in folders he can go all the way to / on the server and also browse the major part of the server folders... doing whatever he wants?!</i>

Yes, everyone can see everything on the system that isn't behind a 750. That's normal UNIX permissions, and perfectly safe (actually probably quite a bit safer than a chrooted ssh session, by the time all risks are taken into account--which is what you're expecting the behavior to be). Private data should obviously have permissions that don't allow world access.

But what bothers you about users seeing /? We've got 40 years of multi-user UNIX systems telling us that it's a reasonable practice.

--

Check out the forum guidelines!

Topic locked