config: remove chroot for Dovecot & PostSRSd#3208
Conversation
georglauterbach
added
service/dovecot
area/configuration (file)
kind/update
|
I did a quick check for chroot config in The chroot opt-out might be better served as a separate Dovecot chroot settings$ docker run --rm -itd --name dms --hostname example.test --ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" mailserver/docker-mailserver:edge
$ docker exec -it dms bash
$ setup email add [email protected] password
$ doveconf | grep -B1 chroot
mail_cache_fields = flags
mail_chroot =
--
service aggregator {
chroot = .
--
service anvil {
chroot = empty
--
service auth-worker {
chroot =
--
service auth {
chroot =
--
service config {
chroot =
--
service dict-async {
chroot =
--
service dict {
chroot =
--
service director {
chroot = .
--
service dns-client {
chroot =
--
service doveadm {
chroot =
--
service health-check {
chroot =
--
service imap-hibernate {
chroot =
--
service imap-login {
chroot = login
--
service imap-urlauth-login {
chroot = token-login
--
service imap-urlauth-worker {
chroot =
--
service imap-urlauth {
chroot =
--
service imap {
chroot =
--
service indexer-worker {
chroot =
--
service indexer {
chroot =
--
service ipc {
chroot = empty
--
service lmtp {
chroot =
--
service log {
chroot =
--
service managesieve-login {
chroot = login
--
service managesieve {
chroot =
--
service old-stats {
chroot = empty
--
service pop3-login {
chroot = login
--
service pop3 {
chroot =
--
service quota-status {
chroot =
--
service quota-warning {
chroot =
--
service replicator {
chroot =
--
service stats {
chroot =
--
service submission-login {
chroot = login
--
service submission {
chroot =
--
service tcpwrap {
chroot =
--
}
valid_chroot_dirs =Of those we can see most are empty, but we can see the following services are set:
Dovecot docs for Login processes mention
These Dovecot Rootless docs mention similar risks and only document removing the same three services the PR presently is dropping chroot for ( Despite Another user provided similar input for fixing the chroot issue citing Dovecot Rootless instructions back in Feb. They also used rootless Podman, and reported I've not seen any config for As per the postfix chroot opt-out PR, it's unclear how beneficial chroot is (although Dovecots usage differs?). I previously referenced chroot is not a security measure, not much changes here I think? If other processes like Postfix were compromised in a similar fashion, they'd have access to the same contents of |
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
You may want to handle these changes via a separate .conf that is included instead.
There are other services that could also disable chroot, but I'm not sure how relevant they are to DMS usage. I know old-stats had some weird behaviour/permissions in the past, not sure if it was related to the chroot usage.
# Remove chroot
service aggregator {
chroot =
}
service anvil {
chroot =
}
service director {
chroot =
}
service ipc {
chroot =
}
service old-stats {
chroot =
}
service imap-login {
chroot =
}
service managesieve-login {
chroot =
}
service pop3-login {
chroot =
}
service submission-login {
chroot =
}
service imap-urlauth-login {
chroot =
}
A dedicated file for Dovecot's chroot environments is easier to handle and adjust later.
georglauterbach
dismissed stale reviews from polarathene and casperklein
via
a6d6de3
polarathene
left a comment
polarathene
left a comment
There was a problem hiding this comment.
LGTM 👍
Thanks for putting this together 😀
Was a pleasure to help you :) I will adjust the v12.0.0 release PR now & later after lunch and make sure everything is heading the right direction there. |
3 participants
Description
Removed
chrootjail for Dovecot & PostSRSd.Related: #3160 (see #3160 (comment))
See also: https://github.com/orgs/docker-mailserver/discussions/3172#discussioncomment-5276395
See also: #3146 (comment)
Fixes #3174
Type of change
Checklist:
docs/)