Henrique de Moraes Holschuh wrote on 07/06/2006 21:29: > On Wed, 07 Jun 2006, Diego Fdez. DurĂ¡n wrote: > >>So I think that the cyrus-imapd instalallation scripts need to add the >>cyrus user to the ssl-cert group. (I don't know if the installer already >>add cyrus to group ssl-cert, sorry). > > THIS would be a very bad idea. Cyrus should be reading sensitive data as > root, and not asking people to give the cyrus user any access to private > data. I don't think we get this right in Cyrus yet, though.
It's almost impossible to get that right, if I understand the mechanisms in cyrus correctly. The problem is that the only process started with root rights is cyrmaster. However, cyrmaster doesn't handle the content _or_ encryption of the connections itself, it leaves that to its children (imapd, pop3d etc.), which only get started as user cyrus. > I am dead set *against* adding the cyrus user to the ssl-cert group. Other > solutions, including changing documentation, default paths, etc are welcome, > of course. I'm with you in restricting cyrus to what it needs to do. However, I don't see a better solution here than adding the cyrus user to the ssl-cert group. Most setups will want to use the same SSL key&cert for Cyrus and any other SSL-enabled service (postfix, exim, apache, just to name a few). That's exactly what the ssl-cert group is for - IIUIC. Any better solution is welcome. Regards, Sven -- --------------------- [ SECURITY NOTICE ] --------------------- To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 08 June 2006 at 14:24:23 UTC. Verify this digital signature at http://www.ciphire.com/verify. ---------------- [ CIPHIRE DIGITAL SIGNATURE ] ---------------- Q2lwaGlyZSBTaWcuAjhobWhAZGViaWFuLm9yZywgMzcxMDg3QGJ1Z3MuZGViaWFu Lm9yZywgcGtnLWN5cnVzLWltYXBkLWRlYmlhbi1kZXZlbEBsaXN0cy5hbGlvdGgu ZGViaWFuLm9yZywgZGllZ29AZ29lZGkubmV0AHNtQGNpcGhpcmVsYWJzLmNvbQBl bWFpbCBib2R5AI8EAAB8AHwAAAABAAAAFzOIRI8EAAAmAgACAAIAAgAg7o/t3Dzy bPsZvvDtuYYYF7x4TQO6I27g898BNr7QXyQBACAy61LAMRkBt1auhEsoSXSa0Etg 0ibS51CIvYuk5gqlQvUJo+jdjreyY/Zsk6pESZg0vlR821AvNnSIxgV32eK6mkTs U2lnRW5k ------------------ [ END DIGITAL SIGNATURE ] ------------------
