security(8) mailbox check question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

security(8) mailbox check question

Adam Wolk-2
Hi misc@

I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) keeps
complaining on the way I setup my maildir on the host.

TL;DR: why u+x on users maildir is considered a bad practice?

Running security(8):

Checking mailbox ownership.
user mulander mailbox is drwx------, group mulander
user nemessica mailbox is drwx------, group nemessica

Wanting to understand what I'm doing wrong I took a look at the code
(as man security(8) only states that it checks maildir permissions, no
details).

Code performing the check is located in /usr/libexec/security

# Mailboxes should be owned by the user and unreadable.
sub check_mailboxes {

I'm not exactly sure of the intent for the comment but the culprit in
my case is the +x bit for the owner of the folder.

Simply removing that leads to issues in my setup as dovecot sieve
scripts can't traverse the directory and file mail accordingly.

Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: stat(/var/mail/mulander/tmp) failed: Permission denied (euid=1000(mulander) egid=1000(muland
er) missing +x perm: /var/mail/mulander, dir owner missing perms)
Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw: sieve: msgid=<[hidden email]
gengine.com>: failed to store into mailbox 'INBOX': Internal error occurred. Refer to server log for more information. [2016-01-23 18:53:24]
Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of script /home/mulander/.dovecot.sieve was aborted
 due to temporary failure (user logfile /home/mulander/.dovecot.sieve.log may reveal additional details)


Now obviously I treat security(8) warnings seriously but I would like
to know why a +x flag is considered a bad practice here?

Regards,
Adam

---

[1]
http://blog.tintagel.pl/2015/05/08/accept-from-any-for-any-relay-via.html

Reply | Threaded
Open this post in threaded view
|

Re: security(8) mailbox check question

trondd-2
On Sat, January 23, 2016 1:29 pm, Adam Wolk wrote:

> Hi misc@
>
> I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) keeps
> complaining on the way I setup my maildir on the host.
>
> TL;DR: why u+x on users maildir is considered a bad practice?
>
> Running security(8):
>
> Checking mailbox ownership.
> user mulander mailbox is drwx------, group mulander
> user nemessica mailbox is drwx------, group nemessica
>

My guess is that since the system uses mbox format mail storage, it's
expecting /var/mail/* to be *files* not folders in which case you wouldn't
want them to be executable.  If you want to put dovecot mail in var, use a
directory other than the system location.

Tim.

Reply | Threaded
Open this post in threaded view
|

Re: security(8) mailbox check question

Adam Wolk-2
In reply to this post by Adam Wolk-2
On Sat, 23 Jan 2016 19:29:36 +0100
Adam Wolk <[hidden email]> wrote:

> Hi misc@
>
> I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8)
> keeps complaining on the way I setup my maildir on the host.
>
> TL;DR: why u+x on users maildir is considered a bad practice?
>
> Running security(8):
>
> Checking mailbox ownership.
> user mulander mailbox is drwx------, group mulander
> user nemessica mailbox is drwx------, group nemessica
>
> Wanting to understand what I'm doing wrong I took a look at the code
> (as man security(8) only states that it checks maildir permissions, no
> details).
>
> Code performing the check is located in /usr/libexec/security
>
> # Mailboxes should be owned by the user and unreadable.
> sub check_mailboxes {
>
> I'm not exactly sure of the intent for the comment but the culprit in
> my case is the +x bit for the owner of the folder.
>
> Simply removing that leads to issues in my setup as dovecot sieve
> scripts can't traverse the directory and file mail accordingly.
>
> Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> stat(/var/mail/mulander/tmp) failed: Permission denied
> (euid=1000(mulander) egid=1000(muland er) missing +x
> perm: /var/mail/mulander, dir owner missing perms) Jan 23 18:53:24
> tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw:
> sieve: msgid=<[hidden email]
> gengine.com>: failed to store into mailbox 'INBOX': Internal error
> occurred. Refer to server log for more information. [2016-01-23
> 18:53:24] Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of
> script /home/mulander/.dovecot.sieve was aborted due to temporary
> failure (user logfile /home/mulander/.dovecot.sieve.log may reveal
> additional details)
>
>
> Now obviously I treat security(8) warnings seriously but I would like
> to know why a +x flag is considered a bad practice here?
>
> Regards,
> Adam
>
> ---
>
> [1]
> http://blog.tintagel.pl/2015/05/08/accept-from-any-for-any-relay-via.html
>

After some IRC talk with ebarret we came to the following conclusions:
 - the script assumes the mailbox is a file (in my case it's a maildir)
 - the comment should say 'unreadable by others'

I think check_mailboxes should be altered when the target entry
in /var/mail is a directory. Instead of expecting u+rw it should expect
u+rwx in that specific case.

If no one raises issues with this I'll send a patch to tech@ modifying
security(8) to behave like that.

Regards,
Adam

Reply | Threaded
Open this post in threaded view
|

Re: security(8) mailbox check question

Ingo Schwarze
Hi Adam,

Adam Wolk wrote on Sat, Jan 23, 2016 at 07:54:44PM +0100:

> After some IRC talk with ebarret we came to the following conclusions:
>  - the script assumes the mailbox is a file (in my case it's a maildir)
>  - the comment should say 'unreadable by others'
>
> I think check_mailboxes should be altered when the target entry
> in /var/mail is a directory. Instead of expecting u+rw it should expect
> u+rwx in that specific case.
>
> If no one raises issues with this I'll send a patch to tech@ modifying
> security(8) to behave like that.

I already had that patch written before seeing this mail and will send
it to tech@ shortly.

Yours,
  Ingo


> On Sat, 23 Jan 2016 19:29:36 +0100
> Adam Wolk <[hidden email]> wrote:
>
> > Hi misc@
> >
> > I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8)
> > keeps complaining on the way I setup my maildir on the host.
> >
> > TL;DR: why u+x on users maildir is considered a bad practice?
> >
> > Running security(8):
> >
> > Checking mailbox ownership.
> > user mulander mailbox is drwx------, group mulander
> > user nemessica mailbox is drwx------, group nemessica
> >
> > Wanting to understand what I'm doing wrong I took a look at the code
> > (as man security(8) only states that it checks maildir permissions, no
> > details).
> >
> > Code performing the check is located in /usr/libexec/security
> >
> > # Mailboxes should be owned by the user and unreadable.
> > sub check_mailboxes {
> >
> > I'm not exactly sure of the intent for the comment but the culprit in
> > my case is the +x bit for the owner of the folder.
> >
> > Simply removing that leads to issues in my setup as dovecot sieve
> > scripts can't traverse the directory and file mail accordingly.
> >
> > Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> > stat(/var/mail/mulander/tmp) failed: Permission denied
> > (euid=1000(mulander) egid=1000(muland er) missing +x
> > perm: /var/mail/mulander, dir owner missing perms) Jan 23 18:53:24
> > tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw:
> > sieve: msgid=<[hidden email]
> > gengine.com>: failed to store into mailbox 'INBOX': Internal error
> > occurred. Refer to server log for more information. [2016-01-23
> > 18:53:24] Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error:
> > K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of
> > script /home/mulander/.dovecot.sieve was aborted due to temporary
> > failure (user logfile /home/mulander/.dovecot.sieve.log may reveal
> > additional details)
> >
> >
> > Now obviously I treat security(8) warnings seriously but I would like
> > to know why a +x flag is considered a bad practice here?