Summary: | net-mail/dovecot-1.2.4 problem with deliver binary permissions | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | kiorky <kiorky> |
Component: | New packages | Assignee: | Wolfram Schlich (RETIRED) <wschlich> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
patch
Better patch to stick to the dovecot wiki according adding a special group. |
Description
kiorky
2009-09-15 16:32:29 UTC
Created attachment 204224 [details]
patch
Created attachment 204229 [details]
Better patch to stick to the dovecot wiki according adding a special group.
Dixit:
"You can do this by making sure only your MTA has execution access to it."
Thus, you can for example add something like this in your postfix configuration:
dovecot unix - n n - - pipe
flags=DRhu user=dovecot:mail
argv=/usr/libexec/dovecot/deliver -n -f ${sender} -d ${user}@${nexthop}
i forgot to say that this patch make deliver belongs to mail group. With that manip', you can configure your applications to use some user which is in that group and thus gain the right to use deliver while the rest of the system may be secured. + 18 Sep 2009; Patrick Lauer <patrick@gentoo.org> dovecot-1.2.4.ebuild: + Improving suid behaviour, fixes #285108. Thanks to kiorky for the patch. |